Internet DRAFT - draft-holmberg-sipcore-auth-id

draft-holmberg-sipcore-auth-id






Network Working Group                                        C. Holmberg
Internet-Draft                                                  Ericsson
Intended status: Standards Track                            May 28, 2015
Expires: November 29, 2015


                     Authorization server identity
                 draft-holmberg-sipcore-auth-id-01.txt

Abstract

   The 3rd-Generation Partnership Project (3GPP) has defined how the
   WebRTC framework can be used to provide access to IMS services.
   Users can use "web credentials" (e.g. a username and password) to
   obtain an authorization token (e.g. an OAuth 2.0 access token), which
   is included in the user registration request sent towards the IMS
   network.

   3GPP has specified a requirement, that the eP-CSCF shall be able to
   include a string value, representing the identity of the WAF, in the
   REGISTER request forwarded towards the S-CSCF.  The S-CSCF can use
   the identity for e.g. policy decisions.

   This document defines a new Authorization header field parameter,
   'authorization-entity', which the eP-CSCF can include in a REGISTER
   request in order to convey the identity of the WAF towards the
   S-CSCF.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on November 29, 2015.







Holmberg                Expires November 29, 2015               [Page 1]

Internet-Draft        Authorization server identity             May 2015


Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Abbreviations . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Requirements  . . . . . . . . . . . . . . . . . . . . . . . .   4
   4.  Conventions . . . . . . . . . . . . . . . . . . . . . . . . .   4
   5.  'authorization-entity' header field parameter . . . . . . . .   4
     5.1.  General . . . . . . . . . . . . . . . . . . . . . . . . .   4
     5.2.  Syntax  . . . . . . . . . . . . . . . . . . . . . . . . .   4
       5.2.1.  General . . . . . . . . . . . . . . . . . . . . . . .   4
       5.2.2.  ABNF  . . . . . . . . . . . . . . . . . . . . . . . .   4
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   5
   8.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .   5
   9.  Change Log  . . . . . . . . . . . . . . . . . . . . . . . . .   5
   10. Normative References  . . . . . . . . . . . . . . . . . . . .   5
   Appendix A.  3GPP Examples  . . . . . . . . . . . . . . . . . . .   6
     A.1.  General . . . . . . . . . . . . . . . . . . . . . . . . .   6
     A.2.  WIC registration using web credentials  . . . . . . . . .   6
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Introduction

   The 3rd-Generation Partnership Project (3GPP) has defined how the
   WebRTC framework can be used to provide access to IMS services.
   Users can use "web credentials" (e.g. a username and password) to
   obtain an authorization token (e.g. an OAuth 2.0 access token), which
   is included in the user registration request sent towards the IMS
   network.

   NOTE: The current assumption is that, when SIP [RFC5234] is used
   between the WIC and the eP-CSCF, together with the OAuth 2.0
   framework [RFC6749], the access token will be conveyed in the



Holmberg                Expires November 29, 2015               [Page 2]

Internet-Draft        Authorization server identity             May 2015


   REGISTER request using the mechanism defined in
   [I-D.yusef-sipcore-sip-oauth].

   The WWSF (OAuth 2.0 Client role) authenticates the user (OAuth 2.0
   Resource Owner role), and obtains the token from the WAF (OAuth 2.0
   Authorization Server role).  The WWSF then provides the token to user
   (typically as part of a JavaScript application downloaded by the
   user), which then includes the token in the registration request
   (REGISTER request when SIP [RFC3261] is used) towards the IMS network
   (OAuth 2.0 Resource Server role).

   When the eP-CSCF receives the registration request, it contacts the
   WAF and verifies the token.  If the verification is successful, the
   WAF provides IMS credentials to eP-CSCF, which the eP-CSCF can
   include in the registration request sent towards the S-CSCF, in order
   to register the user using legacy IMS registration mechanisms.

   3GPP has specified a requirement, that the eP-CSCF shall be able to
   include a string value, representing the identity of the WAF, in the
   REGISTER request forwarded towards the S-CSCF.  The S-CSCF can use
   the identity for e.g. policy and routing decisions.

   This document defines a new Authorization header field parameter,
   'authorization-entity', which the eP-CSCF can include in a REGISTER
   request in order to convey the identity of the WAF towards the
   S-CSCF.

   The 'authorization-entity' parameter is defined in order to fulfil
   requirements from the 3rd-Generation Partnership Project (3GPP), but
   it can also be used in other network environments.

2.  Abbreviations

   WIC (WebRTC IMS Client): An application (typically a JavaScript
   application executed in a browser) using the WebRTC 1.0 extensions
   used to access IMS.

   WAF (WebRTC Authorisation Function): Provides and validates access
   tokens.  In the OAuth 2.00 architecture the WAF represents the
   Authorization Server.

   WWSF (WebRTC Web Server Function): obtains access tokens on behalf of
   a user, and provides the WIC application code to the user.  In the
   OAuth 2.0 architecture the WWSF represents the Client.

   CSCF: Call Session Control Function: IMS SIP proxy.  Different types
   of CSCFs perform different functions in an IMS network.




Holmberg                Expires November 29, 2015               [Page 3]

Internet-Draft        Authorization server identity             May 2015


   eP-CSCF (P-CSCF enhanced for WebRTC): A SIP proxy which validates the
   access token, and obtains IMS credentials associated with the access
   token.  In the OAuth 2.0 architecture the eP-CSCF represents verifies
   the access token on behalf of the Resource Server.

   S-CSCF (Serving CSCF): IMS SIP registrar.

3.  Requirements

   REQ-1: It MUST be possible for a SIP proxy to include a string value,
   representing the identity of an authorization server, in a REGISTER
   request sent towards a SIP registrar.

4.  Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

5.  'authorization-entity' header field parameter

5.1.  General

   This section defines a new Authorization header field 'authorization-
   entity' header field parameter.  The header field parameter is used
   in a REGISTER request to convey a string value which represents the
   identity of an authorization server.  The header field parameter is
   included in the REGISTER request by the entity which verifies the
   access token received from a SIP UA.

   This document only describes the usage of the authorization-entity
   header field parameter within a REGISTER request.  Usage with other
   SIP methods, or within REGISTER responses, is unspecified.

5.2.  Syntax

5.2.1.  General

   This section defines the ABNF for the SIP Authorization
   'authorization-entity' header field parameter.  The ABNF defined in
   this specification is conformant to RFC 5234 [RFC5234].

5.2.2.  ABNF

   The ABNF [RFC5234] grammar for the 'authorization-entity' header
   field parameter is:





Holmberg                Expires November 29, 2015               [Page 4]

Internet-Draft        Authorization server identity             May 2015


   dig-resp    /= "authorization-entity" EQUAL quoted-string
   ;; quoted-string defined in RFC 3261

6.  Security Considerations

   Security considerations come here.

7.  IANA Considerations

   [RFC EDITOR NOTE: Please replace RFCXXXX with the RFC number of this
   document.]

   This specification adds one new header field parameter to the IANA
   registration in the "Header Field Parameters and Parameter Values"
   registry, as specified in [RFC3969].


                   Header Field:           Authorization
                   Parameter Name:         authorization-entity
                   Predefined Values:      No
                   Reference:                      RFCXXXX


8.  Acknowledgments

   The author wishes to thank everyone in the 3GPP community that
   provided input and comments on this document.

9.  Change Log

   [RFC EDITOR NOTE: Please remove this section when publishing]

   draft-holmberg-sipcore-auth-id-xx

   o

   draft-holmberg-sipcore-auth-id-00

   o  Editorial changes/corrections.

10.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.







Holmberg                Expires November 29, 2015               [Page 5]

Internet-Draft        Authorization server identity             May 2015


   [RFC3261]  Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
              A., Peterson, J., Sparks, R., Handley, M., and E.
              Schooler, "SIP: Session Initiation Protocol", RFC 3261,
              June 2002.

   [RFC3969]  Camarillo, G., "The Internet Assigned Number Authority
              (IANA) Uniform Resource Identifier (URI) Parameter
              Registry for the Session Initiation Protocol (SIP)", BCP
              99, RFC 3969, December 2004.

   [RFC5234]  Crocker, D. and P. Overell, "Augmented BNF for Syntax
              Specifications: ABNF", STD 68, RFC 5234, January 2008.

   [RFC6749]  Hardt, D., "The OAuth 2.0 Authorization Framework", RFC
              6749, October 2012.

   [I-D.yusef-sipcore-sip-oauth]
              Shekh-Yusef, R. and V. Pascual, "The Session Initiation
              Protocol (SIP) OAuth", draft-yusef-sipcore-sip-oauth-02
              (work in progress), April 2015.

Appendix A.  3GPP Examples

A.1.  General

   This section contains example call flows based on 3GPP usage of the
   authorization-entity header field parameter.

A.2.  WIC registration using web credentials

   The WWSF/WAF authenticates, obtains and provides an access token to,
   the WIC.  The WIC includes the access token in the REGISTER request
   sent to the eP-CSCF.  The eP-CSCF validates the access token with the
   WAF, and obtains IMS credentials associated with the token.  The eP-
   CSCF includes the IMS credentials, and a string value representing
   the identity of the WAF, in the REGISTER request before forwarding it
   towards the S-CSCF.


    Alice/WIC        WWSF/WAF       eP-CSCF           S-CSCF
     |                |                |                |
     |   F1           |                |                |
     |<-------------->|                |                |
     |                |                |                |
     |   REGISTER F2                   |                |
     |-------------------------------->|                |
     |                |                |                |
     |                |   F3           |                |



Holmberg                Expires November 29, 2015               [Page 6]

Internet-Draft        Authorization server identity             May 2015


     |                |<-------------->|                |
     |                |                |  REGISTER F4   |
     |                |                |--------------->|
     |                |                |                |
     |                |                |  200 (OK) F5   |
     |                |                |<---------------|
     |   200 (OK) F6                   |                |
     |<--------------------------------|                |
     |                |                |                |


      F1 WIC <-> WWSF/WAF
      The WWSF/WAF authenticates Alice, using "web credentials"
      (e.g. username and password), and obtains an access
      token. The access token and the WIC (typically a JavaScript
      application) is provided to Alice.

      F2 REGISTER WIC -> eP-CSCF
      REGISTER sip:registrar.home1.net SIP/2.0
      Authorization: Bearer access_token="O91G451HZ0V......"

      F3 eP-CSCF <-> WWSF/WAF
      The eP-CSCF validates the access token with the WAF,
      and obtains IMS credentials associated with the user,
      and a string value representing the identity of the WAF.

      F4 REGISTER eP-CSCF -> S-CSCF
      REGISTER sip:registrar.home1.net SIP/2.0
      Authorization: Digest username="user1_private@home1.net",
       realm="registrar.home1.net",
           nonce="",
           uri="sip:registrar.home1.net",
           response="",
           authorization-entity="webrtc_authserver1@thirdparty.net"

      F5 200 OK S-CSCF -> eP-CSCF
      200 OK

      F6 200 OK eP-CSCF -> WIC
      200 OK


                   Figure 1: The UE registers via P-CSCF








Holmberg                Expires November 29, 2015               [Page 7]

Internet-Draft        Authorization server identity             May 2015


Author's Address

   Christer Holmberg
   Ericsson
   Hirsalantie 11
   Jorvas  02420
   Finland

   Email: christer.holmberg@ericsson.com










































Holmberg                Expires November 29, 2015               [Page 8]