< draft-ietf-kitten-sasl-oauth-13.txt   draft-ietf-kitten-sasl-oauth-14.txt >
KITTEN W. Mills KITTEN W. Mills
Internet-Draft Yahoo! Inc. Internet-Draft Yahoo! Inc.
Intended status: Standards Track T. Showalter Intended status: Standards Track T. Showalter
Expires: August 18, 2014 Expires: September 7, 2014
H. Tschofenig H. Tschofenig
ARM Ltd. ARM Ltd.
February 14, 2014 March 6, 2014
A set of SASL Mechanisms for OAuth A set of SASL Mechanisms for OAuth
draft-ietf-kitten-sasl-oauth-13.txt draft-ietf-kitten-sasl-oauth-14.txt
Abstract Abstract
OAuth enables a third-party application to obtain limited access to a OAuth enables a third-party application to obtain limited access to a
protected resource, either on behalf of a resource owner by protected resource, either on behalf of a resource owner by
orchestrating an approval interaction, or by allowing the third-party orchestrating an approval interaction, or by allowing the third-party
application to obtain access on its own behalf. application to obtain access on its own behalf.
This document defines how an application client uses credentials This document defines how an application client uses credentials
obtained via OAuth over the Simple Authentication and Security Layer obtained via OAuth over the Simple Authentication and Security Layer
skipping to change at page 2, line 4 skipping to change at page 2, line 4
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 18, 2014. This Internet-Draft will expire on September 7, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 27 skipping to change at page 2, line 27
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. OAuth SASL Mechanism Specifications . . . . . . . . . . . . . 6 3. OAuth SASL Mechanism Specifications . . . . . . . . . . . . . 6
3.1. Initial Client Response . . . . . . . . . . . . . . . . . 7 3.1. Initial Client Response . . . . . . . . . . . . . . . . . 7
3.1.1. Reserved Key/Values . . . . . . . . . . . . . . . . . 7 3.1.1. Reserved Key/Values . . . . . . . . . . . . . . . . . 8
3.2. Server's Response . . . . . . . . . . . . . . . . . . . . 8 3.2. Server's Response . . . . . . . . . . . . . . . . . . . . 8
3.2.1. OAuth Identifiers in the SASL Context . . . . . . . . 8 3.2.1. OAuth Identifiers in the SASL Context . . . . . . . . 8
3.2.2. Server Response to Failed Authentication . . . . . . 8 3.2.2. Server Response to Failed Authentication . . . . . . 9
3.2.3. Completing an Error Message Sequence . . . . . . . . 9 3.2.3. Completing an Error Message Sequence . . . . . . . . 9
3.3. OAuth Access Token Types using Keyed Message Digests . . 9 3.3. OAuth Access Token Types using Keyed Message Digests . . 9
4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 10 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 10
4.1. Successful Bearer Token Exchange . . . . . . . . . . . . 10 4.1. Successful Bearer Token Exchange . . . . . . . . . . . . 11
4.2. Failed Exchange . . . . . . . . . . . . . . . . . . . . . 11 4.2. Failed Exchange . . . . . . . . . . . . . . . . . . . . . 11
4.3. SMTP Example of a Failed Negotiation . . . . . . . . . . 12 4.3. SMTP Example of a Failed Negotiation . . . . . . . . . . 12
5. Security Considerations . . . . . . . . . . . . . . . . . . . 13 5. Security Considerations . . . . . . . . . . . . . . . . . . . 13
6. Internationalization Considerations . . . . . . . . . . . . . 14 6. Internationalization Considerations . . . . . . . . . . . . . 14
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
7.1. SASL Registration . . . . . . . . . . . . . . . . . . . . 14 7.1. SASL Registration . . . . . . . . . . . . . . . . . . . . 14
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 15
8.1. Normative References . . . . . . . . . . . . . . . . . . 15 8.1. Normative References . . . . . . . . . . . . . . . . . . 15
8.2. Informative References . . . . . . . . . . . . . . . . . 16 8.2. Informative References . . . . . . . . . . . . . . . . . 16
Appendix A. Acknowlegements . . . . . . . . . . . . . . . . . . 16 Appendix A. Acknowlegements . . . . . . . . . . . . . . . . . . 17
Appendix B. Document History . . . . . . . . . . . . . . . . . . 17 Appendix B. Document History . . . . . . . . . . . . . . . . . . 17
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19
1. Introduction 1. Introduction
OAuth 1.0a [RFC5849] and OAuth 2.0 [RFC6749] are protocol frameworks OAuth 1.0a [RFC5849] and OAuth 2.0 [RFC6749] are protocol frameworks
that enable a third-party application to obtain limited access to a that enable a third-party application to obtain limited access to a
protected resource, either on behalf of a resource owner by protected resource, either on behalf of a resource owner by
orchestrating an approval interaction, or by allowing the third-party orchestrating an approval interaction, or by allowing the third-party
application to obtain access on its own behalf. application to obtain access on its own behalf.
skipping to change at page 3, line 25 skipping to change at page 3, line 25
define the interaction between the OAuth client and the resource define the interaction between the OAuth client and the resource
server for the access to a protected resource using an Access Token. server for the access to a protected resource using an Access Token.
Instead, the OAuth client to resource server interaction is described Instead, the OAuth client to resource server interaction is described
in separate specifications, such as the bearer token specification in separate specifications, such as the bearer token specification
[RFC6750] and the MAC Token specification [RFC6750] and the MAC Token specification
[I-D.ietf-oauth-v2-http-mac]. OAuth 1.0a included the protocol [I-D.ietf-oauth-v2-http-mac]. OAuth 1.0a included the protocol
specification for the communication between the OAuth client and the specification for the communication between the OAuth client and the
resource server in [RFC5849]. resource server in [RFC5849].
The main use cases for OAuth 2.0 and OAuth 1.0a have so far focused The main use cases for OAuth 2.0 and OAuth 1.0a have so far focused
on an HTTP-based environment only. This document integrates OAuth on an HTTP-based [RFC2616] environment only. This document
1.0a and OAuth 2.0 into non-HTTP-based applications using the integrates OAuth 1.0a and OAuth 2.0 into non-HTTP-based applications
integration into SASL. Hence, this document takes advantage of the using the integration into SASL. Hence, this document takes
OAuth protocol and its deployment base to provide a way to use the advantage of the OAuth protocol and its deployment base to provide a
Simple Authentication and Security Layer (SASL) [RFC4422] to gain way to use the Simple Authentication and Security Layer (SASL)
access to resources when using non-HTTP-based protocols, such as the [RFC4422] to gain access to resources when using non-HTTP-based
Internet Message Access Protocol (IMAP) [RFC3501] and SMTP [RFC5321], protocols, such as the Internet Message Access Protocol (IMAP)
[RFC3501] and the Simple Mail Transfer Protocol (SMTP) [RFC5321],
which is what this memo uses in the examples. which is what this memo uses in the examples.
To illustrate the impact of integrating this specification into an To illustrate the impact of integrating this specification into an
OAuth-enabled application environment Figure 1 shows the abstract OAuth-enabled application environment Figure 1 shows the abstract
message flow of OAuth 2.0 [RFC6749]. As indicated in the figure, message flow of OAuth 2.0 [RFC6749]. As indicated in the figure,
this document impacts the exchange of messages (E) and (F) since SASL this document impacts the exchange of messages (E) and (F) since SASL
is used for interaction between the client and the resource server is used for interaction between the client and the resource server
instead of HTTP. instead of HTTP.
----+ ----+
skipping to change at page 5, line 46 skipping to change at page 5, line 46
and does not separate the resource server from the authorization and does not separate the resource server from the authorization
server. server.
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
The reader is assumed to be familiar with the terms used in the OAuth The reader is assumed to be familiar with the terms used in the OAuth
2.0 specification [RFC6749]. 2.0 specification [RFC6749] and SASL [RFC4422].
In examples, "C:" and "S:" indicate lines sent by the client and In examples, "C:" and "S:" indicate lines sent by the client and
server respectively. Line breaks have been inserted for readability. server respectively. Line breaks have been inserted for readability.
Note that the IMAP SASL specification requires base64 encoding, see Note that the IMAP SASL specification requires base64 encoding, see
Section 4 of [RFC4648], not this memo. Section 4 of [RFC4648], not this memo.
3. OAuth SASL Mechanism Specifications 3. OAuth SASL Mechanism Specifications
SASL is used as an authentication framework in a variety of SASL is used as an authentication framework in a variety of
skipping to change at page 6, line 31 skipping to change at page 6, line 31
New extensions may be defined to add additional OAuth Access Token New extensions may be defined to add additional OAuth Access Token
Types. Such a new SASL OAuth mechanism can be added by simply Types. Such a new SASL OAuth mechanism can be added by simply
registering the new name(s) and citing this specification for the registering the new name(s) and citing this specification for the
further definition. further definition.
These mechanisms are client initiated and lock-step, the server These mechanisms are client initiated and lock-step, the server
always replying to a client message. In the case where the client always replying to a client message. In the case where the client
has and correctly uses a valid token the flow is: has and correctly uses a valid token the flow is:
o Client sends a valid and correct initial client response. 1. Client sends a valid and correct initial client response.
o Server responds with a successful authentication. 2. Server responds with a successful authentication.
In the case where authorization fails the server sends an error In the case where authorization fails the server sends an error
result, then client MUST then send an additional message to the result, then client MUST then send an additional message to the
server in order to allow the server to finish the exchange. Some server in order to allow the server to finish the exchange. Some
protocols and common SASL implementations do not support both sending protocols and common SASL implementations do not support both sending
a SASL message and finalizing a SASL negotiation, the additional a SASL message and finalizing a SASL negotiation, the additional
client message in the error case deals with this problem. This client message in the error case deals with this problem. This
exchange is: exchange is:
o Client sends an invalid initial client response. 1. Client sends an invalid initial client response.
o Server responds with an error message. 2. Server responds with an error message.
o Client sends a dummy client response. 3. Client sends a dummy client response.
o Server fails the authentication. 4. Server fails the authentication.
3.1. Initial Client Response 3.1. Initial Client Response
Client responses are a key/value pair sequence. These key/value Client responses are a key/value pair sequence. The initial client
pairs carry the equivalent values from an HTTP context in order to be response includes a gs2-header as defined in GS2 [RFC5801] which is
able to complete an OAuth style HTTP authorization. Unknown key/ defined here as a stub for compatibility with GS2 if a GS2 mechanism
value pairs MUST be ignored by the server. The ABNF [RFC5234] syntax is formally defined, but this document does not define one. These
is: key/value pairs carry the equivalent values from an HTTP context in
order to be able to complete an OAuth style HTTP authorization.
Unknown key/value pairs MUST be ignored by the server. The ABNF
[RFC5234] syntax is:
kvsep = %x01 kvsep = %x01
key = 1*ALPHA key = 1*(ALPHA / ",")
value = *(VCHAR / SP / HTAB / CR / LF ) value = *(VCHAR / SP / HTAB / CR / LF )
kvpair = key "=" value kvsep kvpair = key "=" value kvsep
client_resp = 0*kvpair kvsep gs2-header = ALPHA "," value
client_resp = gs2-header kvsep 0*kvpair kvsep
The GS2
The following key/value pairs are defined in the client response: The following key/value pairs are defined in the client response:
auth (REQUIRED): The payload of the HTTP Authorization header for auth (REQUIRED): The payload of the HTTP Authorization header for
an equivalent HTTP OAuth authorization. an equivalent HTTP OAuth authorization.
user (REQUIRED): Contains the user name being authenticated. The
server MAY use this as a routing or database lookup hint. The
server MUST NOT use this as authoritative, the user name MUST
be asserted by the OAuth credential.
host: Contains the host name to which the client connected. host: Contains the host name to which the client connected.
port: Contains the port number represented as a decimal positive port: Contains the port number represented as a decimal positive
integer string without leading zeros to which the client integer string without leading zeros to which the client
connected. connected.
qs: The HTTP query string. This is reserved for future use, the qs: The HTTP query string. This is reserved for future use, the
client SHOUD NOT send it, and has the default value of "". client SHOUD NOT send it, and has the default value of "".
For OAuth token types that use keyed message digests the client MUST For OAuth token types that use keyed message digests the client MUST
skipping to change at page 8, line 48 skipping to change at page 9, line 12
need to provide a way to communicate that from the SASL mechanism need to provide a way to communicate that from the SASL mechanism
back to the application. back to the application.
3.2.2. Server Response to Failed Authentication 3.2.2. Server Response to Failed Authentication
For a failed authentication the server returns a JSON [RFC4627] For a failed authentication the server returns a JSON [RFC4627]
formatted error result, and fails the authentication. The error formatted error result, and fails the authentication. The error
result consists of the following values: result consists of the following values:
status (REQUIRED): The authorization error code. Valid error status (REQUIRED): The authorization error code. Valid error
codes are defined in the IANA [[need registry name]] registry codes are defined in the IANA "OAuth Extensions Error Registry"
specified in the OAuth 2 core specification. specified in the OAuth 2 core specification.
scope (OPTIONAL): An OAuth scope which is valid to access the scope (OPTIONAL): An OAuth scope which is valid to access the
service. This may be empty which implies that unscoped tokens service. This may be empty which implies that unscoped tokens
are required, or a space separated list. Use of a space are required, or a scope value. If a scope is specified then a
separated list is NOT RECOMMENDED. single scope is preferred, use of a space separated list of
scopes is NOT RECOMMENDED.
If the resource server provides a scope then the client MUST always If the resource server provides a scope then the client MUST always
request scoped tokens from the token endpoint. If the resource request scoped tokens from the token endpoint. If the resource
server provides no scope to the client then the client SHOULD presume server provides no scope to the client then the client SHOULD presume
an empty scope (unscoped token) is needed. an empty scope (unscoped token) is needed.
If channel binding is in use and the channel binding fails the server
responds with a status code set to 412 to indicate that the channel
binding precondition failed. If the authentication scheme in use
does not include signing the server SHOULD revoke the presented
credential and the client SHOULD discard that credential.
3.2.3. Completing an Error Message Sequence 3.2.3. Completing an Error Message Sequence
Section 3.6 of [RFC4422] explicitly prohibits additional information Section 3.6 of [RFC4422] explicitly prohibits additional information
in an unsuccessful authentication outcome. Therefore, the error in an unsuccessful authentication outcome. Therefore, the error
message is sent in a normal message. The client MUST then send an message is sent in a normal message. The client MUST then send an
additional client response consisting of a single %x01 (control A) additional client response consisting of a single %x01 (control A)
character to the server in order to allow the server to finish the character to the server in order to allow the server to finish the
exchange. exchange.
3.3. OAuth Access Token Types using Keyed Message Digests 3.3. OAuth Access Token Types using Keyed Message Digests
skipping to change at page 10, line 5 skipping to change at page 10, line 10
These atoms are defined as extension points so that no changes are These atoms are defined as extension points so that no changes are
needed if there is a revision of SASL which supports more specific needed if there is a revision of SASL which supports more specific
resource authorization, e.g., IMAP access to a specific folder or FTP resource authorization, e.g., IMAP access to a specific folder or FTP
access limited to a specific directory. access limited to a specific directory.
Using the example in the OAuth 1.0a specification as a starting Using the example in the OAuth 1.0a specification as a starting
point, on an IMAP server running on port 143 and given the OAuth 1.0a point, on an IMAP server running on port 143 and given the OAuth 1.0a
style authorization request (with %x01 shown as ^A and line breaks style authorization request (with %x01 shown as ^A and line breaks
added for readability) below: added for readability) below:
n,a=user@example.com^A n,^A
host=example.com^A host=example.com^A
user=user@example.com^A user=user@example.com^A
port=143^A port=143^A
auth=OAuth realm="Example", auth=OAuth realm="Example",
oauth_consumer_key="9djdj82h48djs9d2", oauth_consumer_key="9djdj82h48djs9d2",
oauth_token="kkk9d7dh3k39sjv7", oauth_token="kkk9d7dh3k39sjv7",
oauth_signature_method="HMAC-SHA1", oauth_signature_method="HMAC-SHA1",
oauth_timestamp="137131201", oauth_timestamp="137131201",
oauth_nonce="7d8f3e4a", oauth_nonce="7d8f3e4a",
oauth_signature="Tm90IGEgcmVhbCBzaWduYXR1cmU%3D"^A^A oauth_signature="Tm90IGEgcmVhbCBzaWduYXR1cmU%3D"^A^A
skipping to change at page 11, line 5 skipping to change at page 11, line 11
Note to implementers: The SASL OAuth method names are case Note to implementers: The SASL OAuth method names are case
insensitive. One example uses "Bearer" but that could as easily be insensitive. One example uses "Bearer" but that could as easily be
"bearer", "BEARER", or "BeArEr". "bearer", "BEARER", or "BeArEr".
4.1. Successful Bearer Token Exchange 4.1. Successful Bearer Token Exchange
This example shows a successful OAuth 2.0 bearer token exchange. This example shows a successful OAuth 2.0 bearer token exchange.
Note that line breaks are inserted for readability and the underlying Note that line breaks are inserted for readability and the underlying
TLS establishment is not shown either. TLS establishment is not shown either.
S: * OK IMAP4rev1 Server Ready S: * OK IMAP4rev1 Server Ready
C: t0 CAPABILITY C: t0 CAPABILITY
S: * CAPABILITY IMAP4rev1 AUTH=OAUTHBEARER SASL-IR S: * CAPABILITY IMAP4rev1 AUTH=OAUTHBEARER SASL-IR
S: t0 OK Completed S: t0 OK Completed
C: t1 AUTHENTICATE OAUTHBEARER bixhPXVzZXJAZXhhbXBsZS5jb20BaG9zdD1zZX C: t1 AUTHENTICATE OAUTHBEARER biwBdXNlcj11c2VyQGV4YW1wbGUuY29tAWhvc3Q9c2Vyd
J2ZXIuZXhhbXBsZS5jb20BcG9ydD0xNDMBYXV0aD1CZWFyZXIgdkY5ZGZ0NHFtV mVyLmV4YW1wbGUuY29tAXBvcnQ9MTQzAWF1dGg9QmVhcmVyIHZGOWRmdDRxbVRjMk52YjN
GMyTnZiM1JsY2tCaGJIUmhkbWx6ZEdFdVkyOXRDZz09AQE= SbGNrQmhiSFJoZG1semRHRXVZMjl0Q2c9PQEB
S: t1 OK SASL authentication succeeded S: t1 OK SASL authentication succeeded
As required by IMAP [RFC3501], the payloads are base64-encoded. The As required by IMAP [RFC3501], the payloads are base64-encoded. The
decoded initial client response (with %x01 represented as ^A and long decoded initial client response (with %x01 represented as ^A and long
lines wrapped for readability) is: lines wrapped for readability) is:
n,a=user@example.com^Ahost=server.example.com^Aport=143^A n,^Auser=user@example.com^Ahost=server.example.com^Aport=143^A
auth=Bearer vF9dft4qmTc2Nvb3RlckBhbHRhdmlzdGEuY29tCg==^A^A auth=Bearer vF9dft4qmTc2Nvb3RlckBhbHRhdmlzdGEuY29tCg==^A^A
The same credential used in an SMTP exchange is shown below. Note The same credential used in an SMTP exchange is shown below. Note
that line breaks are inserted for readability, and that the SMTP that line breaks are inserted for readability, and that the SMTP
protocol terminates lines with CR and LF characters (ASCII values protocol terminates lines with CR and LF characters (ASCII values
0x0D and 0x0A), these are not displayed explicitly in the example. 0x0D and 0x0A), these are not displayed explicitly in the example.
[connection begins] [connection begins]
S: 220 mx.example.com ESMTP 12sm2095603fks.9 S: 220 mx.example.com ESMTP 12sm2095603fks.9
C: EHLO sender.example.com C: EHLO sender.example.com
S: 250-mx.example.com at your service,[172.31.135.47] S: 250-mx.example.com at your service,[172.31.135.47]
S: 250-SIZE 35651584 S: 250-SIZE 35651584
S: 250-8BITMIME S: 250-8BITMIME
S: 250-AUTH LOGIN PLAIN OAUTHBEARER S: 250-AUTH LOGIN PLAIN OAUTHBEARER
S: 250-ENHANCEDSTATUSCODES S: 250-ENHANCEDSTATUSCODES
S: 250 PIPELINING S: 250 PIPELINING
C: t1 AUTHENTICATE OAUTHBEARER bixhPXVzZXJAZXhhbXBsZS5jb20BaG9zdD1zZX C: t1 AUTHENTICATE OAUTHBEARER biwBdXNlcj11c2VyQGV4YW1wbGUuY29tAWhvc
J2ZXIuZXhhbXBsZS5jb20BcG9ydD0xNDMBYXV0aD1CZWFyZXIgdkY5ZGZ0NHFtV 3Q9c2VydmVyLmV4YW1wbGUuY29tAXBvcnQ9MTQzAWF1dGg9QmVhcmVyIHZGOWR
GMyTnZiM1JsY2tCaGJIUmhkbWx6ZEdFdVkyOXRDZz09AQE= mdDRxbVRjMk52YjNSbGNrQmhiSFJoZG1semRHRXVZMjl0Q2c9PQEB
S: 235 Authentication successful. S: 235 Authentication successful.
[connection continues...] [connection continues...]
4.2. Failed Exchange 4.2. Failed Exchange
This example shows a failed exchange because of the empty This example shows a failed exchange because of the empty
Authorization header, which is how a client can query for the needed Authorization header, which is how a client can query for the needed
scope. Note that line breaks are inserted for readability. scope. Note that line breaks are inserted for readability.
S: * CAPABILITY IMAP4rev1 AUTH=OAUTHBEARER SASL-IR IMAP4rev1 Server S: * CAPABILITY IMAP4rev1 AUTH=OAUTHBEARER SASL-IR IMAP4rev1 Server
Ready Ready
S: t0 OK Completed S: t0 OK Completed
C: t1 AUTHENTICATE OAUTHBEARER cD10bHMtdW5pcXVlLGE9dXNlckBleGFtcG C: t1 AUTHENTICATE OAUTHBEARER biwBdXNlcj11c2VyQGV4YW1wbGUuY29tAWhvc3Q9c2Vyd
xlLmNvbQFob3N0PXNlcnZlci5leGFtcGxlLmNvbQFwb3J0PTE0MwFhdXRoP mVyLmV4YW1wbGUuY29tAXBvcnQ9MTQzAWF1dGg9AWNiZGF0YT0BAQ==
QFjYmRhdGE9AQE= S: + ewoic3RhdHVzIjoiNDAxIgoic2NvcGUiOiJleGFtcGxlX3Njb3BlIgp9
S: + ewoic3RhdHVzIjoiNDAxIgoic2NvcGUiOiJleGFtcGxlX3Njb3BlIgp9 C: + AQ==
C: + AQ== S: t1 NO SASL authentication failed
S: t1 NO SASL authentication failed
The decoded initial client response is: The decoded initial client response is:
n,a=user@example.com,^Ahost=server.example.com^A n,^Auser=user@example.com^Ahost=server.example.com^A
port=143^Aauth=^A^A port=143^Aauth=^A^A
The decoded server error response is: The decoded server error response is:
{ {
"status":"401", "status":"401",
"scope":"example_scope" "scope":"example_scope"
} }
The client responds with the required dummy response. The client responds with the required dummy response.
skipping to change at page 12, line 45 skipping to change at page 12, line 44
[connection begins] [connection begins]
S: 220 mx.example.com ESMTP 12sm2095603fks.9 S: 220 mx.example.com ESMTP 12sm2095603fks.9
C: EHLO sender.example.com C: EHLO sender.example.com
S: 250-mx.example.com at your service,[172.31.135.47] S: 250-mx.example.com at your service,[172.31.135.47]
S: 250-SIZE 35651584 S: 250-SIZE 35651584
S: 250-8BITMIME S: 250-8BITMIME
S: 250-AUTH LOGIN PLAIN OAUTHBEARER S: 250-AUTH LOGIN PLAIN OAUTHBEARER
S: 250-ENHANCEDSTATUSCODES S: 250-ENHANCEDSTATUSCODES
S: 250 PIPELINING S: 250 PIPELINING
C: AUTH OAUTHBEARER bixhPT1zb21ldXNlckBleGFtcGxlLmNvbQFhdXRoPUJlYXJlciB2 C: AUTH OAUTHBEARER biwBdXNlcj1zb21ldXNlckBleGFtcGxlLmNvbQFhdXRoPUJlYXJl
RjlkZnQ0cW1UYzJOdmIzUmxja0JoZEhSaGRtbHpkR0V1WTI5dENnPT0BAQ== ciB2RjlkZnQ0cW1UYzJOdmIzUmxja0JoZEhSaGRtbHpkR0V1WTI5dENnPT0BAQ==
S: 334 eyJzdGF0dXMiOiI0MDEiLCJzY2hlbWVzIjoiYmVhcmVyIG1hYyIsInNjb3BlIjoia S: 334 eyJzdGF0dXMiOiI0MDEiLCJzY2hlbWVzIjoiYmVhcmVyIG1hYyIsInNjb3BlIjoia
HR0cHM6Ly9tYWlsLmdvb2dsZS5jb20vIn0K HR0cHM6Ly9tYWlsLmdvb2dsZS5jb20vIn0K
C: AQ== C: AQ==
S: 535-5.7.1 Username and Password not accepted. Learn more at S: 535-5.7.1 Username and Password not accepted. Learn more at
S: 535 5.7.1 http://support.example.com/mail/oauth S: 535 5.7.1 http://support.example.com/mail/oauth
[connection continues...] [connection continues...]
The server returned an error message in the 334 SASL message, the The server returned an error message in the 334 SASL message, the
client responds with the required dummy response, and the server client responds with the required dummy response, and the server
finalizes the negotiation. finalizes the negotiation.
skipping to change at page 13, line 21 skipping to change at page 13, line 21
and the security properties of these profiles vary. As shown in and the security properties of these profiles vary. As shown in
Figure 1 this specification is aimed to be integrated into a larger Figure 1 this specification is aimed to be integrated into a larger
OAuth deployment. Application developers therefore need to OAuth deployment. Application developers therefore need to
understand the needs of their security requirements based on a threat understand the needs of their security requirements based on a threat
assessment before selecting a specific SASL OAuth mechanism. For assessment before selecting a specific SASL OAuth mechanism. For
OAuth 2.0 a detailed security document [RFC6819] provides guidance to OAuth 2.0 a detailed security document [RFC6819] provides guidance to
select those OAuth 2.0 components that help to mitigate threats for a select those OAuth 2.0 components that help to mitigate threats for a
given deployment. For OAuth 1.0a Section 4 of RFC 5849 [RFC5849] given deployment. For OAuth 1.0a Section 4 of RFC 5849 [RFC5849]
provides guidance specific to OAuth 1.0. provides guidance specific to OAuth 1.0.
This document specifies three SASL Mechanisms for OAuth and each This document specifies two SASL Mechanisms for OAuth and each comes
comes with different security properties. with different security properties.
OAUTHBEARER: This mechanism borrows from OAuth 2.0 bearer tokens OAUTHBEARER: This mechanism borrows from OAuth 2.0 bearer tokens
[RFC6750]. It relies on the application using TLS to protect the [RFC6750]. It relies on the application using TLS to protect the
OAuth 2.0 Bearer Token exchange; without TLS usage at the OAuth 2.0 Bearer Token exchange; without TLS usage at the
application layer this method is completely insecure. application layer this method is completely insecure.
Consequently, TLS MUST be provided by the application when Consequently, TLS MUST be provided by the application when
choosing this authentication mechanism. choosing this authentication mechanism.
OAUTH10A: This mechanism re-uses OAuth 1.0a MAC tokens (using the OAUTH10A: This mechanism re-uses OAuth 1.0a MAC tokens (using the
HMAC-SHA1 keyed message digest), as described in Section 3.4.2 of HMAC-SHA1 keyed message digest), as described in Section 3.4.2 of
skipping to change at page 13, line 46 skipping to change at page 13, line 46
supports client authentication. If server-side authentication is supports client authentication. If server-side authentication is
desireable then it must be provided by the application underneath desireable then it must be provided by the application underneath
the SASL layer. The use of TLS is strongly RECOMMENDED. the SASL layer. The use of TLS is strongly RECOMMENDED.
Additionally, the following aspects are worth pointing out: Additionally, the following aspects are worth pointing out:
An access token is not equivalent to the user's long term password. An access token is not equivalent to the user's long term password.
Care has to be taken when these OAuth credentials are used for Care has to be taken when these OAuth credentials are used for
actions like changing passwords (as it is possible with some actions like changing passwords (as it is possible with some
protocols, e.g., XMPP). The resource server should ensure that protocols, e.g., XMPP [RFC6120]). The resource server should
actions taken in the authenticated channel are appropriate to the ensure that actions taken in the authenticated channel are
strength of the presented credential. appropriate to the strength of the presented credential.
Lifetime of the appliation sessions. Lifetime of the appliation sessions.
It is possible that SASL will be authenticating a connection and It is possible that SASL will be authenticating a connection and
the life of that connection may outlast the life of the access the life of that connection may outlast the life of the access
token used to establish it. This is a common problem in token used to establish it. This is a common problem in
application protocols where connections are long-lived, and not a application protocols where connections are long-lived, and not a
problem with this mechanism per se. Resource servers may problem with this mechanism per se. Resource servers may
unilaterally disconnect clients in accordance with the application unilaterally disconnect clients in accordance with the application
protocol. protocol.
skipping to change at page 15, line 43 skipping to change at page 15, line 43
[RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and [RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and
Security Layer (SASL)", RFC 4422, June 2006. Security Layer (SASL)", RFC 4422, June 2006.
[RFC4627] Crockford, D., "The application/json Media Type for [RFC4627] Crockford, D., "The application/json Media Type for
JavaScript Object Notation (JSON)", RFC 4627, July 2006. JavaScript Object Notation (JSON)", RFC 4627, July 2006.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, October 2006. Encodings", RFC 4648, October 2006.
[RFC5056] Williams, N., "On the Use of Channel Bindings to Secure
Channels", RFC 5056, November 2007.
[RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, January 2008. Specifications: ABNF", STD 68, RFC 5234, January 2008.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008. (TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC5801] Josefsson, S. and N. Williams, "Using Generic Security
Service Application Program Interface (GSS-API) Mechanisms
in Simple Authentication and Security Layer (SASL): The
GS2 Mechanism Family", RFC 5801, July 2010.
[RFC5849] Hammer-Lahav, E., "The OAuth 1.0 Protocol", RFC 5849, [RFC5849] Hammer-Lahav, E., "The OAuth 1.0 Protocol", RFC 5849,
April 2010. April 2010.
[RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC [RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC
6749, October 2012. 6749, October 2012.
[RFC6750] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization [RFC6750] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization
Framework: Bearer Token Usage", RFC 6750, October 2012. Framework: Bearer Token Usage", RFC 6750, October 2012.
8.2. Informative References 8.2. Informative References
[I-D.ietf-oauth-json-web-token] [I-D.ietf-oauth-json-web-token]
Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
(JWT)", draft-ietf-oauth-json-web-token-15 (work in (JWT)", draft-ietf-oauth-json-web-token-18 (work in
progress), January 2014. progress), March 2014.
[I-D.ietf-oauth-v2-http-mac] [I-D.ietf-oauth-v2-http-mac]
Richer, J., Mills, W., Tschofenig, H., and P. Hunt, "OAuth Richer, J., Mills, W., Tschofenig, H., and P. Hunt, "OAuth
2.0 Message Authentication Code (MAC) Tokens", draft-ietf- 2.0 Message Authentication Code (MAC) Tokens", draft-ietf-
oauth-v2-http-mac-05 (work in progress), January 2014. oauth-v2-http-mac-05 (work in progress), January 2014.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
[RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION [RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION
4rev1", RFC 3501, March 2003. 4rev1", RFC 3501, March 2003.
[RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
October 2008. October 2008.
[RFC6120] Saint-Andre, P., "Extensible Messaging and Presence
Protocol (XMPP): Core", RFC 6120, March 2011.
[RFC6819] Lodderstedt, T., McGloin, M., and P. Hunt, "OAuth 2.0 [RFC6819] Lodderstedt, T., McGloin, M., and P. Hunt, "OAuth 2.0
Threat Model and Security Considerations", RFC 6819, Threat Model and Security Considerations", RFC 6819,
January 2013. January 2013.
[RFC7033] Jones, P., Salgueiro, G., Jones, M., and J. Smarr, [RFC7033] Jones, P., Salgueiro, G., Jones, M., and J. Smarr,
"WebFinger", RFC 7033, September 2013. "WebFinger", RFC 7033, September 2013.
Appendix A. Acknowlegements Appendix A. Acknowlegements
The authors would like to thank the members of the Kitten working The authors would like to thank the members of the Kitten working
group, and in addition and specifically: Simon Josefson, Torsten group, and in addition and specifically: Simon Josefson, Torsten
Lodderstadt, Ryan Troll, Alexey Melnikov, Jeffrey Hutzelman, and Nico Lodderstadt, Ryan Troll, Alexey Melnikov, Jeffrey Hutzelman, Nico
Williams. Williams, and Matt Miller.
This document was produced under the chairmanship of Alexey Melnikov, This document was produced under the chairmanship of Alexey Melnikov,
Tom Yu, Shawn Emery, Josh Howlett, Sam Hartman. The supervising area Tom Yu, Shawn Emery, Josh Howlett, Sam Hartman. The supervising area
directors was Stephen Farrell. director was Stephen Farrell.
Appendix B. Document History Appendix B. Document History
[[ to be removed by RFC editor before publication as an RFC ]] [[ to be removed by RFC editor before publication as an RFC ]]
-14
o Last call feedack on RFC citations needed, small editorial.
o Added the "user" parameter back, which was pulled when we started
down the GS2 path. Same language as -03.
o Defined a stub GS2 header to make sure that when the GS2 bride is
defined for this that nothing will break when it actually starts
to get populated.
-13 -13
o Changed affiliation. o Changed affiliation.
-12 -12
o Removed -PLUS components from the specification. o Removed -PLUS components from the specification.
-11 -11
 End of changes. 40 change blocks. 
76 lines changed or deleted 102 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/