ACE Working Group S. Gerdes Internet-Draft O. Bergmann Intended status: Informational C. Bormann Expires: January 7, 2016 Universitaet Bremen TZI July 06, 2015 Examples for Using DCAF with less constrained devices draft-gerdes-ace-dcaf-examples-00 Abstract Constrained nodes are devices which are limited in terms of processing power, memory, non-volatile storage and transmission capacity. Due to these constraints, commonly used security protocols are not easily applicable. Nevertheless, an authentication and authorization solution is needed to ensure the security of these devices. The Delegated CoAP Authorization Framework (DCAF) specifies how resource-constrained nodes can delegate defined authentication- and authorization-related tasks to less-constrained devices called Authorization Managers, thus limiting the hardware requirements of the security solution for the constrained devices. To realize the vision of "one Internet for all", constrained devices need to securely establish trust relationships with less constrained devices. This document lists examples for using DCAF with less constrained devices. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on January 7, 2016. Gerdes, et al. Expires January 7, 2016 [Page 1] Internet-Draft dcaf-examples July 2015 Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 3. Example 1: Posting Sensor Values on a Website using OpenID Connect . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 4. Security Considerations . . . . . . . . . . . . . . . . . . . 4 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 6.1. Normative References . . . . . . . . . . . . . . . . . . 4 6.2. Informative References . . . . . . . . . . . . . . . . . 4 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction See abstract. 2. Terminology o Readers should be familiar with the concepts introduced in [I-D.gerdes-ace-dcaf-authorize] To reduce the confusion between OpenID and DCAF services, we are using the following terminology: o Server Authorization Manager (SAM): An entity that prepares and endorses authentication and authorization data for a Server. o Client Authorization Manager (CAM): An entity that prepares and endorses authentication and authorization data for a Client. o Server (S): An endpoint that hosts and represents a resource. Gerdes, et al. Expires January 7, 2016 [Page 2] Internet-Draft dcaf-examples July 2015 o Client (C): An endpoint that attempts to access a resource on the Server. 3. Example 1: Posting Sensor Values on a Website using OpenID Connect To illustrate this example, we assume the following scenario: Sarah has a constrained device that is equipped with a temperature sensor. During a heat wave, she wants her device to continuously post the current room temperature in her office in the blog of her social media account to inform others of her working conditions. She wants to use OpenID Connect to log into CAM and establish a trust relationship between the temperature sensor and her blog. The temperature sensor that is acting as a CoAP client (C) in this scenario is associated with a Client Authorization Manager (CAM) that helps C with authentication and authorization and provides a user interface to Sarah for configuring C. The blog on her social media account acts as a DCAF server (S). In this first example, Sarah is registered with an OpenID provider (OP) that CAM accepts for authentication and which additionally acts as an Authorization Server (AS) for her social media service. Moreover, AS is compatible with DCAF and acts as a DCAF server authorization manager (SAM). For requesting access to the blog, OP defines the scope parameter coaps://blog.socialmedia.example.com. Sarah uses the browser on her smartphone as a User Agent (UA) to initiate the authentication and authorization process. This example illustrates the authentication and authorization using the OpenID Connect Authorization Code Flow as described in section 3.1 of [OpenID-Connect]. Sarah uses her UA to request CAM to configure C to access her blog. To authenticate Sarah, CAM generates an Authentication Request (cf. section 3.1.2.1 of [OpenID-Connect]). Since CAM needs to obtain authorization for accessing Sarah's Blog for C, it also adds the scope parameter coaps://blog.socialmedia.example.com. CAM sends the Authentication Request to Sarah's UA, thereby triggering it to send an Authentication Request to OP's Authorization Endpoint. HTTP/1.1 302 Found Location: https://server.example.com/authorize? response_type=code &scope=openid%20coaps://blog.socialmedia.example.com &client_id=s6BhdRkqt3 &state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fcam.example.org%2Flogin Gerdes, et al. Expires January 7, 2016 [Page 3] Internet-Draft dcaf-examples July 2015 After authenticating Sarah and requesting her permission (for details please consult sections 3.1.2.3 and 3.1.2.4 of [OpenID-Connect]), the OP sends back a successful Authentication Response that contains the parameter code. The code can then be used by CAM to send a Token Request to the Token Endpoint which responds with an ID token, an access token and a refresh token. CAM uses the ID token and access token to authenticate Sarah. The refresh token is then used to request an additional access token for accessing the blog. CAM sends the refresh token to the Token Endpoint with the scope coaps://blog.socialmedia.example.com. The Token Endpoint validates the refresh token and makes sure that the requested scope does fit to the original grant. The Token Endpoint speaks both DCAF and OAuth and acts as SAM. It generates a ticket including a verifier and sends it back to CAM. CAM transmits the ticket to its client and instructs it to access the blog. The client then uses the ticket to establish a DTLS connection with the blog. Figure 1 illustrates the resulting message flow. (Please refer to PDF version to see this picture.) Figure 1: Authentication and Authorization Flow 4. Security Considerations TBD 5. IANA Considerations None 6. References 6.1. Normative References [I-D.gerdes-ace-dcaf-authorize] Gerdes, S., Bergmann, O., and C. Bormann, "Delegated CoAP Authentication and Authorization Framework (DCAF)", draft- gerdes-ace-dcaf-authorize-02 (work in progress), March 2015. 6.2. Informative References [OpenID-Connect] Sakimura, N., Bradley, J., Jones, M., de Madeiros, B., and C. Mortimore, "OpenID Connect Core 1.0", November 2014. Gerdes, et al. Expires January 7, 2016 [Page 4] Internet-Draft dcaf-examples July 2015 Authors' Addresses Stefanie Gerdes Universitaet Bremen TZI Postfach 330440 Bremen D-28359 Germany Phone: +49-421-218-63906 Email: gerdes@tzi.org Olaf Bergmann Universitaet Bremen TZI Postfach 330440 Bremen D-28359 Germany Phone: +49-421-218-63904 Email: bergmann@tzi.org Carsten Bormann Universitaet Bremen TZI Postfach 330440 Bremen D-28359 Germany Phone: +49-421-218-63921 Email: cabo@tzi.org Gerdes, et al. Expires January 7, 2016 [Page 5]