| < draft-ietf-kitten-sasl-oauth-06.txt | draft-ietf-kitten-sasl-oauth-07.txt > | |||
|---|---|---|---|---|
| KITTEN W. Mills | KITTEN W. Mills | |||
| Internet-Draft Yahoo! Inc. | Internet-Draft Yahoo! Inc. | |||
| Intended status: Standards Track T. Showalter | Intended status: Standards Track T. Showalter | |||
| Expires: March 5, 2013 | Expires: March 17, 2013 | |||
| H. Tschofenig | H. Tschofenig | |||
| Nokia Siemens Networks | Nokia Siemens Networks | |||
| September 1, 2012 | September 13, 2012 | |||
| A set of SASL and GSS-API Mechanisms for OAuth | A set of SASL and GSS-API Mechanisms for OAuth | |||
| draft-ietf-kitten-sasl-oauth-06 | draft-ietf-kitten-sasl-oauth-07 | |||
| Abstract | Abstract | |||
| OAuth enables a third-party application to obtain limited access to a | OAuth enables a third-party application to obtain limited access to a | |||
| protected resource, either on behalf of a resource owner by | protected resource, either on behalf of a resource owner by | |||
| orchestrating an approval interaction, or by allowing the third-party | orchestrating an approval interaction, or by allowing the third-party | |||
| application to obtain access on its own behalf. | application to obtain access on its own behalf. | |||
| This document defines how an application client uses credentials | This document defines how an application client uses credentials | |||
| obtained via OAuth over the Simple Authentication and Security Layer | obtained via OAuth over the Simple Authentication and Security Layer | |||
| skipping to change at page 2, line 4 ¶ | skipping to change at page 2, line 4 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on March 5, 2013. | This Internet-Draft will expire on March 17, 2013. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2012 IETF Trust and the persons identified as the | Copyright (c) 2012 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 3, line 20 ¶ | skipping to change at page 3, line 20 ¶ | |||
| 3.1. Initial Client Response . . . . . . . . . . . . . . . . . 9 | 3.1. Initial Client Response . . . . . . . . . . . . . . . . . 9 | |||
| 3.1.1. Reserved Key/Values . . . . . . . . . . . . . . . . . 10 | 3.1.1. Reserved Key/Values . . . . . . . . . . . . . . . . . 10 | |||
| 3.1.2. Use of the gs2-header . . . . . . . . . . . . . . . . 10 | 3.1.2. Use of the gs2-header . . . . . . . . . . . . . . . . 10 | |||
| 3.2. Server's Response . . . . . . . . . . . . . . . . . . . . 10 | 3.2. Server's Response . . . . . . . . . . . . . . . . . . . . 10 | |||
| 3.2.1. Mapping to SASL Identities . . . . . . . . . . . . . . 11 | 3.2.1. Mapping to SASL Identities . . . . . . . . . . . . . . 11 | |||
| 3.2.2. Canonicalization . . . . . . . . . . . . . . . . . . . 11 | 3.2.2. Canonicalization . . . . . . . . . . . . . . . . . . . 11 | |||
| 3.2.3. Server response to failed authentication. . . . . . . 11 | 3.2.3. Server response to failed authentication. . . . . . . 11 | |||
| 3.2.4. Completing an error message sequence. . . . . . . . . 12 | 3.2.4. Completing an error message sequence. . . . . . . . . 12 | |||
| 3.3. Use of Signature Type Authorization . . . . . . . . . . . 12 | 3.3. Use of Signature Type Authorization . . . . . . . . . . . 12 | |||
| 3.4. Channel Binding . . . . . . . . . . . . . . . . . . . . . 13 | 3.4. Channel Binding . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 4. GSS-API OAuth Mechanism Specification . . . . . . . . . . . . 14 | 4. GSS-API OAuth Mechanism Specification . . . . . . . . . . . . 15 | |||
| 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 | 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 5.1. Successful Bearer Token Exchange . . . . . . . . . . . . . 16 | 5.1. Successful Bearer Token Exchange . . . . . . . . . . . . . 17 | |||
| 5.2. OAuth 1.0a Authorization with Channel Binding . . . . . . 17 | 5.2. OAuth 1.0a Authorization with Channel Binding . . . . . . 18 | |||
| 5.3. Failed Exchange . . . . . . . . . . . . . . . . . . . . . 18 | 5.3. Failed Exchange . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 5.4. Failed Channel Binding . . . . . . . . . . . . . . . . . . 19 | 5.4. Failed Channel Binding . . . . . . . . . . . . . . . . . . 20 | |||
| 5.5. SMTP Example of a failed negotiation. . . . . . . . . . . 19 | 5.5. SMTP Example of a failed negotiation. . . . . . . . . . . 20 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 21 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 22 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 | |||
| 7.1. SASL Registration . . . . . . . . . . . . . . . . . . . . 22 | 7.1. SASL Registration . . . . . . . . . . . . . . . . . . . . 23 | |||
| 7.2. GSS-API Registration . . . . . . . . . . . . . . . . . . . 23 | 7.2. GSS-API Registration . . . . . . . . . . . . . . . . . . . 24 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 25 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . . 24 | 8.1. Normative References . . . . . . . . . . . . . . . . . . . 25 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . . 25 | 8.2. Informative References . . . . . . . . . . . . . . . . . . 26 | |||
| Appendix A. Acknowlegements . . . . . . . . . . . . . . . . . . . 26 | Appendix A. Acknowlegements . . . . . . . . . . . . . . . . . . . 27 | |||
| Appendix B. Document History . . . . . . . . . . . . . . . . . . 27 | Appendix B. Document History . . . . . . . . . . . . . . . . . . 28 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 29 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 30 | |||
| 1. Introduction | 1. Introduction | |||
| OAuth [I-D.ietf-oauth-v2] enables a third-party application to obtain | OAuth [I-D.ietf-oauth-v2] enables a third-party application to obtain | |||
| limited access to a protected resource, either on behalf of a | limited access to a protected resource, either on behalf of a | |||
| resource owner by orchestrating an approval interaction, or by | resource owner by orchestrating an approval interaction, or by | |||
| allowing the third-party application to obtain access on its own | allowing the third-party application to obtain access on its own | |||
| behalf. The core OAuth specification [I-D.ietf-oauth-v2] does not | behalf. The core OAuth specification [I-D.ietf-oauth-v2] does not | |||
| define the interaction between the client and the resource server | define the interaction between the client and the resource server | |||
| with the access to a protected resource using an Access Token. This | with the access to a protected resource using an Access Token. This | |||
| skipping to change at page 8, line 45 ¶ | skipping to change at page 8, line 45 ¶ | |||
| server in order to allow the server to finish the exchange. Some | server in order to allow the server to finish the exchange. Some | |||
| protocols and common SASL implementations do not support both sending | protocols and common SASL implementations do not support both sending | |||
| a SASL message and finalizing a SASL negotiation, the additional | a SASL message and finalizing a SASL negotiation, the additional | |||
| client message in the error case deals with this problem. This | client message in the error case deals with this problem. This | |||
| exchange is: | exchange is: | |||
| o Client sends an invalid initial client response. | o Client sends an invalid initial client response. | |||
| o Server responds with an error message. | o Server responds with an error message. | |||
| o Client sends an empty client reponse. | o Client sends a dummy client reponse. | |||
| o Server fails the authentication. | o Server fails the authentication. | |||
| 3.1. Initial Client Response | 3.1. Initial Client Response | |||
| Client responses are a key/value pair sequence. The initial client | Client responses are a key/value pair sequence. The initial client | |||
| response includes a gs2-header as defined in GS2 [RFC5801], which | response includes a gs2-header as defined in GS2 [RFC5801], which | |||
| carries the authorization ID. These key/value pairs carry the | carries the authorization ID. These key/value pairs carry the | |||
| equivalent values from an HTTP context in order to be able to | equivalent values from an HTTP context in order to be able to | |||
| complete an OAuth style HTTP authorization. The client MUST send an | complete an OAuth style HTTP authorization. The ABNF [RFC5234] | |||
| authorization ID in the gs2-header. The ABNF [RFC5234] syntax is: | syntax is: | |||
| kvsep = %x01 | kvsep = %x01 | |||
| key = 1*ALPHA | key = 1*ALPHA | |||
| value = *(VCHAR | SP | HTAB | CR | LF ) | value = *(VCHAR | SP | HTAB | CR | LF ) | |||
| kvpair = key "=" value kvsep | kvpair = key "=" value kvsep | |||
| client_resp = 0*kvpair kvsep | client_resp = 0*kvpair kvsep | |||
| ;; gs2-header = As defined in GSS-API | ;; gs2-header = As defined in GSS-API | |||
| initial_client_resp = gs2-header kvsep client_resp | initial_client_resp = gs2-header kvsep client_resp | |||
| The following key/value pairs are defined in the client response: | The following key/value pairs are defined in the client response: | |||
| skipping to change at page 10, line 29 ¶ | skipping to change at page 10, line 29 ¶ | |||
| post (RESERVED): HTTP post data, the default value is "". | post (RESERVED): HTTP post data, the default value is "". | |||
| 3.1.2. Use of the gs2-header | 3.1.2. Use of the gs2-header | |||
| The OAuth scheme related mechanisms are also GSS-API mechanisms, see | The OAuth scheme related mechanisms are also GSS-API mechanisms, see | |||
| Section 4 for further detail. The gs2-header is used as follows: | Section 4 for further detail. The gs2-header is used as follows: | |||
| o The "gs2-nonstd-flag" MUST NOT be present. | o The "gs2-nonstd-flag" MUST NOT be present. | |||
| o The "gs2-authzid" carries the authorization identity as specified | o The "gs2-authzid" carries the authorization identity as specified | |||
| in [RFC5801]. This MUST agree with the identity asserted in the | in [RFC5801]. If present the application MUST determine whether | |||
| OAuth credential. | access is granted for the identity asserted in the OAuth | |||
| credential, if it does not the server MUST fail the negotiation. | ||||
| In the non "-PLUS" mechanisms the "gs2-cb-flag" MUST be set to "n" | In the non "-PLUS" mechanisms the "gs2-cb-flag" MUST be set to "n" | |||
| because channel-binding [RFC5056] data is not expected. In the | because channel-binding [RFC5056] data is not expected. In the | |||
| OAUTH10A-PLUS mechanism (or other -PLUS variants based on this | OAUTH10A-PLUS mechanism (or other -PLUS variants based on this | |||
| specification) the "gs2-cb-flag" MUST be set appropriately by the | specification) the "gs2-cb-flag" MUST be set appropriately by the | |||
| client. | client. | |||
| 3.2. Server's Response | 3.2. Server's Response | |||
| The server validates the response per the specification for the | The server validates the response per the specification for the | |||
| skipping to change at page 10, line 50 ¶ | skipping to change at page 11, line 4 ¶ | |||
| The server validates the response per the specification for the | The server validates the response per the specification for the | |||
| authorization scheme used. If the authorization scheme used includes | authorization scheme used. If the authorization scheme used includes | |||
| signing of the request parameters the client must provide a client | signing of the request parameters the client must provide a client | |||
| response that satisfies the data requirements for the scheme in use. | response that satisfies the data requirements for the scheme in use. | |||
| In a "-PLUS" mechanism the server examines the channel binding data, | In a "-PLUS" mechanism the server examines the channel binding data, | |||
| extracts the channel binding unique prefix, and extracts the raw | extracts the channel binding unique prefix, and extracts the raw | |||
| channel biding data based on the channel binding type used. It then | channel biding data based on the channel binding type used. It then | |||
| computes it's own copy of the channel binding payload and compares | computes it's own copy of the channel binding payload and compares | |||
| that to the payload sent by the client in the cbdata key/value. | that to the payload sent by the client in the cbdata key/value. | |||
| Those two must be equal for channel binding to succeed. | Those two must be equal for channel binding to succeed. | |||
| The server responds to a successfully verified client message by | The server responds to a successfully verified client message by | |||
| completing the SASL negotiation. The authorization scheme MUST carry | completing the SASL negotiation. The authenticated identity reported | |||
| the user ID to be used as the authorization identity (identity to act | by the mechanism is the identity which the mechanism has securely | |||
| as). The server MUST use the ID obtained from the credential as the | established for the client with the OAuth credential. | |||
| user being authorized. | ||||
| 3.2.1. Mapping to SASL Identities | 3.2.1. Mapping to SASL Identities | |||
| Some OAuth mechanisms can provide both an authorization identity and | Note that the semantics of the authz-id are specified by the SASL | |||
| an authentication identity. An example of this is OAuth 1.0a | framework [RFC4422]. A SASL application is, of course, free to apply | |||
| [RFC5849] where the consumer key (oauth_consumer_key) identifies the | mappings of the OAuth authcid to authz-ids as per-SASL, and it is | |||
| entity using the token which equates to the SASL authentication | free to apply mappings common to non-SASL OAuth applications. | |||
| identity, and is authenticated using the shared secret. The server | ||||
| MAY use a consumer key, a value derived from it, or other comparable | Some OAuth schemes can carry both a user identity and a "proxy" | |||
| identity in the OAuth authorization scheme to allow SASL an | identity, for example an OAuth 1.0a [RFC5849] mechanism where the | |||
| authentication identity different from the authorization identity to | consumer key (oauth_consumer_key) identifies the entity using the | |||
| be set. | token and the token itself identifies the user. If both identities | |||
| are needed by an application the developer will need to provide a way | ||||
| to communicate that from the SASL mechanism back to the application | ||||
| such as a GS2 [RFC2473] named type like GSS_C_NT_USER_NAME or a | ||||
| comparable newly defined GS2 attribute. | ||||
| 3.2.2. Canonicalization | 3.2.2. Canonicalization | |||
| The identity asserted by the OAuth authorization server is canonical | The identity asserted by the OAuth authorization server is canonical | |||
| for display. The server MAY provide a different canonical form based | for display. The server MAY provide a different canonical form based | |||
| on local data. | on local data. | |||
| 3.2.3. Server response to failed authentication. | 3.2.3. Server response to failed authentication. | |||
| For a failed authentication the server returns a JSON [RFC4627] | For a failed authentication the server returns a JSON [RFC4627] | |||
| skipping to change at page 17, line 29 ¶ | skipping to change at page 18, line 29 ¶ | |||
| 5.2. OAuth 1.0a Authorization with Channel Binding | 5.2. OAuth 1.0a Authorization with Channel Binding | |||
| This example shows channel binding in the context of an OAuth 1.0a | This example shows channel binding in the context of an OAuth 1.0a | |||
| signed authorization request. Note that line breaks are inserted for | signed authorization request. Note that line breaks are inserted for | |||
| readability. | readability. | |||
| S: * CAPABILITY IMAP4rev1 AUTH=OAUTH10A-PLUS SASL-IR IMAP4rev1 Server | S: * CAPABILITY IMAP4rev1 AUTH=OAUTH10A-PLUS SASL-IR IMAP4rev1 Server | |||
| Ready | Ready | |||
| S: t0 OK Completed | S: t0 OK Completed | |||
| C: t1 AUTHENTICATE OAUTH10A-PLUS eSxhPXVzZXJAZXhhbXBsZS5jb20BaG9zdD1zZ | C: t1 AUTHENTICATE OAUTH10A-PLUS cCxhPXVzZXJAZXhhbXBsZS5jb20BaG9zdD1zZ | |||
| XJ2ZXIuZXhhbXBsZS5jb20BcG9ydD0xNDMBYXV0aD1PQXV0aCByZWFsbT0iRXhhb | XJ2ZXIuZXhhbXBsZS5jb20BcG9ydD0xNDMBYXV0aD1PQXV0aCByZWFsbT0iRXhhb | |||
| XBsZSIsb2F1dGhfY29uc3VtZXJfa2V5PSI5ZGpkajgyaDQ4ZGpzOWQyIixvYXV0a | XBsZSIsb2F1dGhfY29uc3VtZXJfa2V5PSI5ZGpkajgyaDQ4ZGpzOWQyIixvYXV0a | |||
| F90b2tlbj0ia2trOWQ3ZGgzazM5c2p2NyIsb2F1dGhfc2lnbmF0dXJlX21ldGhvZ | F90b2tlbj0ia2trOWQ3ZGgzazM5c2p2NyIsb2F1dGhfc2lnbmF0dXJlX21ldGhvZ | |||
| D0iSE1BQy1TSEExIixvYXV0aF90aW1lc3RhbXA9IjEzNzEzMTIwMSIsb2F1dGhfb | D0iSE1BQy1TSEExIixvYXV0aF90aW1lc3RhbXA9IjEzNzEzMTIwMSIsb2F1dGhfb | |||
| m9uY2U9IjdkOGYzZTRhIixvYXV0aF9zaWduYXR1cmU9IlNTZHRJR0VnYkdsMGRHe | m9uY2U9IjdkOGYzZTRhIixvYXV0aF9zaWduYXR1cmU9IlNTZHRJR0VnYkdsMGRHe | |||
| GxJSFJsWVNCd2IzUXUiAXFzPWNiZGF0YT10bHMtdW5pcXVlOlNHOTNJR0pwWnlCc | GxJSFJsWVNCd2IzUXUiAXFzPWNiZGF0YT10bHMtdW5pcXVlOlNHOTNJR0pwWnlCc | |||
| GN5QmhJRlJNVXlCbWFXNWhiQ0J0WlhOellXZGxQd289AQE= | GN5QmhJRlJNVXlCbWFXNWhiQ0J0WlhOellXZGxQd289AQE= | |||
| S: t1 OK SASL authentication succeeded | S: t1 OK SASL authentication succeeded | |||
| As required by IMAP [RFC3501], the payloads are base64-encoded. The | As required by IMAP [RFC3501], the payloads are base64-encoded. The | |||
| decoded initial client response (with %x01 represented as ^A and | decoded initial client response (with %x01 represented as ^A and | |||
| lines wrapped for readability) is: | lines wrapped for readability) is: | |||
| y,a=user@example.com^A | p,a=user@example.com^A | |||
| host=server.example.com^A | host=server.example.com^A | |||
| port=143^A | port=143^A | |||
| auth=OAuth realm="Example", | auth=OAuth realm="Example", | |||
| oauth_consumer_key="9djdj82h48djs9d2", | oauth_consumer_key="9djdj82h48djs9d2", | |||
| oauth_token="kkk9d7dh3k39sjv7", | oauth_token="kkk9d7dh3k39sjv7", | |||
| oauth_signature_method="HMAC-SHA1", | oauth_signature_method="HMAC-SHA1", | |||
| oauth_timestamp="137131201", | oauth_timestamp="137131201", | |||
| oauth_nonce="7d8f3e4a", | oauth_nonce="7d8f3e4a", | |||
| oauth_signature="SSdtIGEgbGl0dGxlIHRlYSBwb3Qu"^A | oauth_signature="SSdtIGEgbGl0dGxlIHRlYSBwb3Qu"^A | |||
| qs=cbdata=tls-unique:SG93IGJpZyBpcyBhIFRMUyBmaW5hbCBtZXNzYWdlPwo=^A^A | qs=cbdata=tls-unique:SG93IGJpZyBpcyBhIFRMUyBmaW5hbCBtZXNzYWdlPwo=^A^A | |||
| skipping to change at page 19, line 10 ¶ | skipping to change at page 20, line 10 ¶ | |||
| n,a=user@example.com,^Ahost=server.example.com^A | n,a=user@example.com,^Ahost=server.example.com^A | |||
| port=143^Aauth=^A^A | port=143^Aauth=^A^A | |||
| The decoded server error response is: | The decoded server error response is: | |||
| { | { | |||
| "status":"401", | "status":"401", | |||
| "scope":"example_scope" | "scope":"example_scope" | |||
| } | } | |||
| The client responds with the required empty response. | The client responds with the required dummy response. | |||
| 5.4. Failed Channel Binding | 5.4. Failed Channel Binding | |||
| This example shows a channel binding failure in an empty request. | This example shows a channel binding failure in an empty request. | |||
| The channel binding information is empty. Note that line breaks are | The channel binding information is empty. Note that line breaks are | |||
| inserted for readability. | inserted for readability. | |||
| S: * CAPABILITY IMAP4rev1 AUTH=OAUTH10A-PLUS SASL-IR IMAP4rev1 Server | S: * CAPABILITY IMAP4rev1 AUTH=OAUTH10A-PLUS SASL-IR IMAP4rev1 Server | |||
| Ready | Ready | |||
| S: t0 OK Completed | S: t0 OK Completed | |||
| C: t1 AUTHENTICATE OAUTH10A-PLUS eSxhPXVzZXJAZXhhbXBsZS5jb20BaG9z | C: t1 AUTHENTICATE OAUTH10A-PLUS cCxhPXVzZXJAZXhhbXBsZS5jb20BaG9z | |||
| dD1zZXJ2ZXIuZXhhbXBsZS5jb20BcG9ydD0xNDMBYXV0aD0BY2JkYXRhPQEB | dD1zZXJ2ZXIuZXhhbXBsZS5jb20BcG9ydD0xNDMBYXV0aD0BY2JkYXRhPQEB | |||
| S: + ewoic3RhdHVzIjoiNDEyIiwKInNjb3BlIjoiZXhhbXBsZV9zY29wZSIKfQ== | S: + ewoic3RhdHVzIjoiNDEyIiwKInNjb3BlIjoiZXhhbXBsZV9zY29wZSIKfQ== | |||
| C: + AQ== | C: + AQ== | |||
| S: t1 NO SASL authentication failed | S: t1 NO SASL authentication failed | |||
| The decoded initial client response is: | The decoded initial client response is: | |||
| y,a=user@example.com,^Ahost=server.example.com^A | p,a=user@example.com,^Ahost=server.example.com^A | |||
| port=143^Aauth=^Acbdata=^A^A | port=143^Aauth=^Acbdata=^A^A | |||
| The decoded server response is: | The decoded server response is: | |||
| { | { | |||
| "status":"412", | "status":"412", | |||
| "scope":"example_scope" | "scope":"example_scope" | |||
| } | } | |||
| The client responds with the required empty response. | The client responds with the required dummy response. | |||
| 5.5. SMTP Example of a failed negotiation. | 5.5. SMTP Example of a failed negotiation. | |||
| This example shows an authorization failure in an SMTP exchange. | This example shows an authorization failure in an SMTP exchange. | |||
| Note that line breaks are inserted for readability, and that the SMTP | Note that line breaks are inserted for readability, and that the SMTP | |||
| protocol terminates lines with CR and LF characters (ASCII values | protocol terminates lines with CR and LF characters (ASCII values | |||
| 0x0D and 0x0A), these are not displayed explicitly in the example. | 0x0D and 0x0A), these are not displayed explicitly in the example. | |||
| [connection begins] | [connection begins] | |||
| S: 220 mx.example.com ESMTP 12sm2095603fks.9 | S: 220 mx.example.com ESMTP 12sm2095603fks.9 | |||
| skipping to change at page 20, line 24 ¶ | skipping to change at page 21, line 24 ¶ | |||
| C: AUTH OAUTHBEARER bixhPT1zb21ldXNlckBleGFtcGxlLmNvbQFhdXRoPUJlYXJlciB2 | C: AUTH OAUTHBEARER bixhPT1zb21ldXNlckBleGFtcGxlLmNvbQFhdXRoPUJlYXJlciB2 | |||
| RjlkZnQ0cW1UYzJOdmIzUmxja0JoZEhSaGRtbHpkR0V1WTI5dENnPT0BAQ== | RjlkZnQ0cW1UYzJOdmIzUmxja0JoZEhSaGRtbHpkR0V1WTI5dENnPT0BAQ== | |||
| S: 334 eyJzdGF0dXMiOiI0MDEiLCJzY2hlbWVzIjoiYmVhcmVyIG1hYyIsInNjb3BlIjoia | S: 334 eyJzdGF0dXMiOiI0MDEiLCJzY2hlbWVzIjoiYmVhcmVyIG1hYyIsInNjb3BlIjoia | |||
| HR0cHM6Ly9tYWlsLmdvb2dsZS5jb20vIn0K | HR0cHM6Ly9tYWlsLmdvb2dsZS5jb20vIn0K | |||
| C: AQ== | C: AQ== | |||
| S: 535-5.7.1 Username and Password not accepted. Learn more at | S: 535-5.7.1 Username and Password not accepted. Learn more at | |||
| S: 535 5.7.1 http://support.example.com/mail/oauth | S: 535 5.7.1 http://support.example.com/mail/oauth | |||
| [connection continues...] | [connection continues...] | |||
| The server returned an error message in the 334 SASL message, the | The server returned an error message in the 334 SASL message, the | |||
| client responds with the required empty response, and the server | client responds with the required dummy response, and the server | |||
| finalizes the negotiation. | finalizes the negotiation. | |||
| 6. Security Considerations | 6. Security Considerations | |||
| This mechanism does not provide a security layer, but does provide a | This mechanism does not provide a security layer, but does provide a | |||
| provision for channel binding. The OAuth 2 specification | provision for channel binding. The OAuth 2 specification | |||
| [I-D.ietf-oauth-v2] allows for a variety of usages, and the security | [I-D.ietf-oauth-v2] allows for a variety of usages, and the security | |||
| properties of these profiles vary. The usage of bearer tokens, for | properties of these profiles vary. The usage of bearer tokens, for | |||
| example, provide security features similar to cookies. Applications | example, provide security features similar to cookies. Applications | |||
| using this mechanism SHOULD exercise the same level of care using | using this mechanism SHOULD exercise the same level of care using | |||
| skipping to change at page 24, line 22 ¶ | skipping to change at page 25, line 22 ¶ | |||
| [I-D.ietf-oauth-v2-bearer] | [I-D.ietf-oauth-v2-bearer] | |||
| Jones, M. and D. Hardt, "The OAuth 2.0 Authorization | Jones, M. and D. Hardt, "The OAuth 2.0 Authorization | |||
| Framework: Bearer Token Usage", | Framework: Bearer Token Usage", | |||
| draft-ietf-oauth-v2-bearer-23 (work in progress), | draft-ietf-oauth-v2-bearer-23 (work in progress), | |||
| August 2012. | August 2012. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC2473] Conta, A. and S. Deering, "Generic Packet Tunneling in | ||||
| IPv6 Specification", RFC 2473, December 1998. | ||||
| [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., | [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., | |||
| Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext | Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext | |||
| Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. | Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. | |||
| [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., | [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., | |||
| Leach, P., Luotonen, A., and L. Stewart, "HTTP | Leach, P., Luotonen, A., and L. Stewart, "HTTP | |||
| Authentication: Basic and Digest Access Authentication", | Authentication: Basic and Digest Access Authentication", | |||
| RFC 2617, June 1999. | RFC 2617, June 1999. | |||
| [RFC2743] Linn, J., "Generic Security Service Application Program | [RFC2743] Linn, J., "Generic Security Service Application Program | |||
| skipping to change at page 27, line 9 ¶ | skipping to change at page 28, line 9 ¶ | |||
| Appendix A. Acknowlegements | Appendix A. Acknowlegements | |||
| The authors would like to thank the members of the Kitten working | The authors would like to thank the members of the Kitten working | |||
| group, and in addition and specifically: Simon Josefson, Torsten | group, and in addition and specifically: Simon Josefson, Torsten | |||
| Lodderstadt, Ryan Troll, and Nico Williams. | Lodderstadt, Ryan Troll, and Nico Williams. | |||
| Appendix B. Document History | Appendix B. Document History | |||
| [[ to be removed by RFC editor before publication as an RFC ]] | [[ to be removed by RFC editor before publication as an RFC ]] | |||
| -07 | ||||
| o Struck the MUST langiage from authzid. | ||||
| o | ||||
| -06 | -06 | |||
| o Removed the user field. Fixed the examples again. | o Removed the user field. Fixed the examples again. | |||
| o Added canonicalization language. | o Added canonicalization language. | |||
| o | o | |||
| -05 | -05 | |||
| End of changes. 20 change blocks. | ||||
| 46 lines changed or deleted | 60 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||