-
Notifications
You must be signed in to change notification settings - Fork 8
/
draft-ietf-ace-oauth-authz.txt
4010 lines (3257 loc) · 183 KB
/
draft-ietf-ace-oauth-authz.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Internet Engineering Task Force (IETF) L. Seitz
Request for Comments: 9200 Combitech
Category: Standards Track G. Selander
ISSN: 2070-1721 Ericsson
E. Wahlstroem
S. Erdtman
Spotify AB
H. Tschofenig
Arm Ltd.
March 2022
Authentication and Authorization for Constrained Environments Using the
OAuth 2.0 Framework (ACE-OAuth)
Abstract
This specification defines a framework for authentication and
authorization in Internet of Things (IoT) environments called
ACE-OAuth. The framework is based on a set of building blocks
including OAuth 2.0 and the Constrained Application Protocol (CoAP),
thus transforming a well-known and widely used authorization solution
into a form suitable for IoT devices. Existing specifications are
used where possible, but extensions are added and profiles are
defined to better serve the IoT use cases.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9200.
Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction
2. Terminology
3. Overview
3.1. OAuth 2.0
3.2. CoAP
4. Protocol Interactions
5. Framework
5.1. Discovering Authorization Servers
5.2. Unauthorized Resource Request Message
5.3. AS Request Creation Hints
5.3.1. The Client-Nonce Parameter
5.4. Authorization Grants
5.5. Client Credentials
5.6. AS Authentication
5.7. The Authorization Endpoint
5.8. The Token Endpoint
5.8.1. Client-to-AS Request
5.8.2. AS-to-Client Response
5.8.3. Error Response
5.8.4. Request and Response Parameters
5.8.4.1. Grant Type
5.8.4.2. Token Type
5.8.4.3. Profile
5.8.4.4. Client-Nonce
5.8.5. Mapping Parameters to CBOR
5.9. The Introspection Endpoint
5.9.1. Introspection Request
5.9.2. Introspection Response
5.9.3. Error Response
5.9.4. Mapping Introspection Parameters to CBOR
5.10. The Access Token
5.10.1. The Authorization Information Endpoint
5.10.1.1. Verifying an Access Token
5.10.1.2. Protecting the Authorization Information Endpoint
5.10.2. Client Requests to the RS
5.10.3. Token Expiration
5.10.4. Key Expiration
6. Security Considerations
6.1. Protecting Tokens
6.2. Communication Security
6.3. Long-Term Credentials
6.4. Unprotected AS Request Creation Hints
6.5. Minimal Security Requirements for Communication
6.6. Token Freshness and Expiration
6.7. Combining Profiles
6.8. Unprotected Information
6.9. Identifying Audiences
6.10. Denial of Service Against or with Introspection
7. Privacy Considerations
8. IANA Considerations
8.1. ACE Authorization Server Request Creation Hints
8.2. CoRE Resource Types
8.3. OAuth Extensions Errors
8.4. OAuth Error Code CBOR Mappings
8.5. OAuth Grant Type CBOR Mappings
8.6. OAuth Access Token Types
8.7. OAuth Access Token Type CBOR Mappings
8.7.1. Initial Registry Contents
8.8. ACE Profiles
8.9. OAuth Parameters
8.10. OAuth Parameters CBOR Mappings
8.11. OAuth Introspection Response Parameters
8.12. OAuth Token Introspection Response CBOR Mappings
8.13. JSON Web Token Claims
8.14. CBOR Web Token Claims
8.15. Media Type Registration
8.16. CoAP Content-Formats
8.17. Expert Review Instructions
9. References
9.1. Normative References
9.2. Informative References
Appendix A. Design Justification
Appendix B. Roles and Responsibilities
Appendix C. Requirements on Profiles
Appendix D. Assumptions on AS Knowledge about the C and RS
Appendix E. Differences to OAuth 2.0
Appendix F. Deployment Examples
F.1. Local Token Validation
F.2. Introspection Aided Token Validation
Acknowledgments
Authors' Addresses
1. Introduction
Authorization is the process for granting approval to an entity to
access a generic resource [RFC4949]. The authorization task itself
can best be described as granting access to a requesting client for a
resource hosted on a device, i.e., the resource server (RS). This
exchange is mediated by one or multiple authorization servers (ASes).
Managing authorization for a large number of devices and users can be
a complex task.
While prior work on authorization solutions for the Web and for the
mobile environment also applies to the Internet of Things (IoT)
environment, many IoT devices are constrained, for example, in terms
of processing capabilities, available memory, etc. For such devices,
the Constrained Application Protocol (CoAP) [RFC7252] can alleviate
some resource concerns when used instead of HTTP to implement the
communication flows of this specification.
Appendix A gives an overview of the constraints considered in this
design, and a more detailed treatment of constraints can be found in
[RFC7228]. This design aims to accommodate different IoT deployments
as well as a continuous range of device and network capabilities.
Taking energy consumption as an example, at one end, there are
energy-harvesting or battery-powered devices that have a tight power
budget; on the other end, there are mains-powered devices; and all
levels exist in between.
Hence, IoT devices may be very different in terms of available
processing and message exchange capabilities, and there is a need to
support many different authorization use cases [RFC7744].
This specification describes a framework for Authentication and
Authorization for Constrained Environments (ACE) built on reuse of
OAuth 2.0 [RFC6749], thereby extending authorization to Internet of
Things devices. This specification contains the necessary building
blocks for adjusting OAuth 2.0 to IoT environments.
Profiles of this framework are available in separate specifications,
such as [RFC9202] or [RFC9203]. Such profiles may specify the use of
the framework for a specific security protocol and the underlying
transports for use in a specific deployment environment to improve
interoperability. Implementations may claim conformance with a
specific profile, whereby implementations utilizing the same profile
interoperate, while implementations of different profiles are not
expected to be interoperable. More powerful devices, such as mobile
phones and tablets, may implement multiple profiles and will
therefore be able to interact with a wider range of constrained
devices. Requirements on profiles are described at contextually
appropriate places throughout this specification and also summarized
in Appendix C.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
Certain security-related terms, such as "authentication",
"authorization", "confidentiality", "(data) integrity", "message
authentication code", and "verify", are taken from [RFC4949].
Since exchanges in this specification are described as RESTful
protocol interactions, HTTP [RFC7231] offers useful terminology.
(Note that "RESTful" refers to the Representational State Transfer
(REST) architecture.)
Terminology for entities in the architecture is defined in OAuth 2.0
[RFC6749], such as client (C), resource server (RS), and
authorization server (AS).
Note that the term "endpoint" is used here following its OAuth
definition, which is to denote resources, such as token and
introspection at the AS and authz-info at the RS (see Section 5.10.1
for a definition of the authz-info endpoint). The CoAP definition,
which is "[a]n entity participating in the CoAP protocol" [RFC7252],
is not used in this specification.
The specification in this document is called the "framework" or "ACE
framework". When referring to "profiles of this framework", it
refers to additional specifications that define the use of this
specification with concrete transport and communication security
protocols (e.g., CoAP over DTLS).
The term "Access Information" is used for parameters, other than the
access token, provided to the client by the AS to enable it to access
the RS (e.g., public key of the RS or profile supported by RS).
The term "authorization information" is used to denote all
information, including the claims of relevant access tokens, that an
RS uses to determine whether an access request should be granted.
Throughout this document, examples for CBOR data items are expressed
in CBOR extended diagnostic notation as defined in Section 8 of
[RFC8949] and Appendix G of [RFC8610] ("diagnostic notation"), unless
noted otherwise. We often use diagnostic notation comments to
provide a textual representation of the numeric parameter names and
values.
3. Overview
This specification defines the ACE framework for authorization in the
Internet of Things environment. It consists of a set of building
blocks.
The basic block is the OAuth 2.0 [RFC6749] framework, which enjoys
widespread deployment. Many IoT devices can support OAuth 2.0
without any additional extensions, but for certain constrained
settings, additional profiling is needed.
Another building block is the lightweight web transfer protocol CoAP
[RFC7252], for those communication environments where HTTP is not
appropriate. CoAP typically runs on top of UDP, which further
reduces overhead and message exchanges. While this specification
defines extensions for the use of OAuth over CoAP, other underlying
protocols are not prohibited from being supported in the future, such
as HTTP/2 [RFC7540], Message Queuing Telemetry Transport (MQTT)
[MQTT5.0], Bluetooth Low Energy (BLE) [BLE], and QUIC [RFC9000].
Note that this document specifies protocol exchanges in terms of
RESTful verbs, such as GET and POST. Future profiles using protocols
that do not support these verbs MUST specify how the corresponding
protocol messages are transmitted instead.
A third building block is the Concise Binary Object Representation
(CBOR) [RFC8949], for encodings where JSON [RFC8259] is not
sufficiently compact. CBOR is a binary encoding designed for small
code and message size. Self-contained tokens and protocol message
payloads are encoded in CBOR when CoAP is used. When CoAP is not
used, the use of CBOR remains RECOMMENDED.
A fourth building block is CBOR Object Signing and Encryption (COSE)
[RFC8152], which enables object-level layer security as an
alternative or complement to transport layer security (DTLS [RFC6347]
or TLS [RFC8446]). COSE is used to secure self-contained tokens,
such as proof-of-possession (PoP) tokens, which are an extension to
the OAuth bearer tokens. The default token format is defined in CBOR
Web Token (CWT) [RFC8392]. Application-layer security for CoAP using
COSE can be provided with Object Security for Constrained RESTful
Environments (OSCORE) [RFC8613].
With the building blocks listed above, solutions satisfying various
IoT device and network constraints are possible. A list of
constraints is described in detail in [RFC7228], and a description of
how the building blocks mentioned above relate to the various
constraints can be found in Appendix A.
Luckily, not every IoT device suffers from all constraints.
Nevertheless, the ACE framework takes all these aspects into account
and allows several different deployment variants to coexist, rather
than mandating a one-size-fits-all solution. It is important to
cover the wide range of possible interworking use cases and the
different requirements from a security point of view. Once IoT
deployments mature, popular deployment variants will be documented in
the form of ACE profiles.
3.1. OAuth 2.0
The OAuth 2.0 authorization framework enables a client to obtain
scoped access to a resource with the permission of a resource owner.
Authorization information, or references to it, is passed between the
nodes using access tokens. These access tokens are issued to clients
by an authorization server with the approval of the resource owner.
The client uses the access token to access the protected resources
hosted by the resource server.
A number of OAuth 2.0 terms are used within this specification:
Access Tokens:
Access tokens are credentials needed to access protected
resources. An access token is a data structure representing
authorization permissions issued by the AS to the client. Access
tokens are generated by the AS and consumed by the RS. The access
token content is opaque to the client.
Access tokens can have different formats and various methods of
utilization (e.g., cryptographic properties) based on the security
requirements of the given deployment.
Introspection:
Introspection is a method for a resource server, or potentially a
client, to query the authorization server for the active state and
content of a received access token. This is particularly useful
in those cases where the authorization decisions are very dynamic
and/or where the received access token itself is an opaque
reference, rather than a self-contained token. More information
about introspection in OAuth 2.0 can be found in [RFC7662].
Refresh Tokens:
Refresh tokens are credentials used to obtain access tokens.
Refresh tokens are issued to the client by the authorization
server and are used to obtain a new access token when the current
access token expires or to obtain additional access tokens with
identical or narrower scope (such access tokens may have a shorter
lifetime and fewer permissions than authorized by the resource
owner). Issuing a refresh token is optional at the discretion of
the authorization server. If the authorization server issues a
refresh token, it is included when issuing an access token (i.e.,
step (B) in Figure 1).
A refresh token in OAuth 2.0 is a string representing the
authorization granted to the client by the resource owner. The
string is usually opaque to the client. The token denotes an
identifier used to retrieve the authorization information. Unlike
access tokens, refresh tokens are intended for use only with
authorization servers and are never sent to resource servers. In
this framework, refresh tokens are encoded in binary instead of
strings, if used.
Proof-of-Possession Tokens:
A token may be bound to a cryptographic key, which is then used to
bind the token to a request authorized by the token. Such tokens
are called proof-of-possession tokens (or PoP tokens).
The proof-of-possession security concept used here assumes that
the AS acts as a trusted third party that binds keys to tokens.
In the case of access tokens, these so-called PoP keys are then
used by the client to demonstrate the possession of the secret to
the RS when accessing the resource. The RS, when receiving an
access token, needs to verify that the key used by the client
matches the one bound to the access token. When this
specification uses the term "access token", it is assumed to be a
PoP access token unless specifically stated otherwise.
The key bound to the token (the PoP key) may use either symmetric
or asymmetric cryptography. The appropriate choice of the kind of
cryptography depends on the constraints of the IoT devices as well
as on the security requirements of the use case.
Symmetric PoP key:
The AS generates a random, symmetric PoP key. The key is
either stored to be returned on introspection calls or included
in the token. Either the whole token or only the key MUST be
encrypted in the latter case. The PoP key is also returned to
client together with the token, protected by the secure
channel.
Asymmetric PoP key:
An asymmetric key pair is generated by the client and the
public key is sent to the AS (if it does not already have
knowledge of the client's public key). Information about the
public key, which is the PoP key in this case, is either stored
to be returned on introspection calls or included inside the
token and sent back to the client. The resource server
consuming the token can identify the public key from the
information in the token, which allows the client to use the
corresponding private key for the proof of possession.
The token is either a simple reference or a structured information
object (e.g., CWT [RFC8392]) protected by a cryptographic wrapper
(e.g., COSE [RFC8152]). The choice of PoP key does not
necessarily imply a specific credential type for the integrity
protection of the token.
Scopes and Permissions:
In OAuth 2.0, the client specifies the type of permissions it is
seeking to obtain (via the "scope" parameter) in the access token
request. In turn, the AS may use the "scope" response parameter
to inform the client of the scope of the access token issued. As
the client could be a constrained device as well, this
specification defines the use of CBOR encoding (see Section 5) for
such requests and responses.
The values of the "scope" parameter in OAuth 2.0 are expressed as
a list of space-delimited, case-sensitive strings with a semantic
that is well known to the AS and the RS. More details about the
concept of scopes are found under Section 3.3 of [RFC6749].
Claims:
Information carried in the access token or returned from
introspection, called claims, is in the form of name-value pairs.
An access token may, for example, include a claim identifying the
AS that issued the token (via the "iss" claim) and what audience
the access token is intended for (via the "aud" claim). The
audience of an access token can be a specific resource, one
resource, or many resource servers. The resource owner policies
influence what claims are put into the access token by the
authorization server.
While the structure and encoding of the access token varies
throughout deployments, a standardized format has been defined
with the JSON Web Token (JWT) [RFC7519], where claims are encoded
as a JSON object. In [RFC8392], the CBOR Web Token (CWT) has been
defined as an equivalent format using CBOR encoding.
Token and Introspection Endpoints:
The AS hosts the token endpoint that allows a client to request
access tokens. The client makes a POST request to the token
endpoint on the AS and receives the access token in the response
(if the request was successful).
In some deployments, a token introspection endpoint is provided by
the AS, which can be used by the RS and potentially the client, if
they need to request additional information regarding a received
access token. The requesting entity makes a POST request to the
introspection endpoint on the AS and receives information about
the access token in the response. (See "Introspection" above.)
3.2. CoAP
CoAP is an application-layer protocol similar to HTTP but
specifically designed for constrained environments. CoAP typically
uses datagram-oriented transport, such as UDP, where reordering and
loss of packets can occur. A security solution needs to take the
latter aspects into account.
While HTTP uses headers and query strings to convey additional
information about a request, CoAP encodes such information into
header parameters called 'options'.
CoAP supports application-layer fragmentation of the CoAP payloads
through block-wise transfers [RFC7959]. However, block-wise transfer
does not increase the size limits of CoAP options; therefore, data
encoded in options has to be kept small.
Transport layer security for CoAP can be provided by DTLS or TLS
[RFC6347] [RFC8446] [RFC9147]. CoAP defines a number of proxy
operations that require transport layer security to be terminated at
the proxy. One approach for protecting CoAP communication end-to-end
through proxies, and also to support security for CoAP over a
different transport in a uniform way, is to provide security at the
application layer using an object-based security mechanism, such as
COSE [RFC8152].
One application of COSE is OSCORE [RFC8613], which provides end-to-
end confidentiality, integrity and replay protection, and a secure
binding between CoAP request and response messages. In OSCORE, the
CoAP messages are wrapped in COSE objects and sent using CoAP.
In this framework, the use of CoAP as replacement for HTTP is
RECOMMENDED for use in constrained environments. For communication
security, this framework does not make an explicit protocol
recommendation, since the choice depends on the requirements of the
specific application. DTLS [RFC6347] [RFC9147] and OSCORE [RFC8613]
are mentioned as examples; other protocols fulfilling the
requirements from Section 6.5 are also applicable.
4. Protocol Interactions
The ACE framework is based on the OAuth 2.0 protocol interactions
using the token endpoint and optionally the introspection endpoint.
A client obtains an access token, and optionally a refresh token,
from an AS using the token endpoint and subsequently presents the
access token to an RS to gain access to a protected resource. In
most deployments, the RS can process the access token locally;
however, in some cases, the RS may present it to the AS via the
introspection endpoint to get fresh information. These interactions
are shown in Figure 1. An overview of various OAuth concepts is
provided in Section 3.1.
+--------+ +---------------+
| |---(A)-- Token Request ------->| |
| | | Authorization |
| |<--(B)-- Access Token ---------| Server |
| | + Access Information | |
| | + Refresh Token (optional) +---------------+
| | ^ |
| | Introspection Request (D)| |
| Client | Response | |(E)
| | (optional exchange) | |
| | | v
| | +--------------+
| |---(C)-- Token + Request ----->| |
| | | Resource |
| |<--(F)-- Protected Resource ---| Server |
| | | |
+--------+ +--------------+
Figure 1: Basic Protocol Flow
Requesting an Access Token (A):
The client makes an access token request to the token endpoint at
the AS. This framework assumes the use of PoP access tokens (see
Section 3.1 for a short description) wherein the AS binds a key to
an access token. The client may include permissions it seeks to
obtain and information about the credentials it wants to use for
proof of possession (e.g., symmetric/asymmetric cryptography or a
reference to a specific key) of the access token.
Access Token Response (B):
If the request from the client has been successfully verified,
authenticated, and authorized, the AS returns an access token and
optionally a refresh token. Note that only certain grant types
support refresh tokens. The AS can also return additional
parameters, referred to as "Access Information". In addition to
the response parameters defined by OAuth 2.0 and the PoP access
token extension, this framework defines parameters that can be
used to inform the client about capabilities of the RS, e.g., the
profile the RS supports. More information about these parameters
can be found in Section 5.8.4.
Resource Request (C):
The client interacts with the RS to request access to the
protected resource and provides the access token. The protocol to
use between the client and the RS is not restricted to CoAP.
HTTP, HTTP/2 [RFC7540], QUIC [RFC9000], MQTT [MQTT5.0], Bluetooth
Low Energy [BLE], etc., are also viable candidates.
Depending on the device limitations and the selected protocol,
this exchange may be split up into two parts:
(1) the client sends the access token containing, or referencing,
the authorization information to the RS that will be used for
subsequent resource requests by the client, and
(2) the client makes the resource access request using the
communication security protocol and other Access Information
obtained from the AS.
The client and the RS mutually authenticate using the security
protocol specified in the profile (see step (B)) and the keys
obtained in the access token or the Access Information. The RS
verifies that the token is integrity protected and originated by
the AS. It then compares the claims contained in the access token
with the resource request. If the RS is online, validation can be
handed over to the AS using token introspection (see messages (D)
and (E)) over HTTP or CoAP.
Token Introspection Request (D):
A resource server may be configured to introspect the access token
by including it in a request to the introspection endpoint at that
AS. Token introspection over CoAP is defined in Section 5.9 and
for HTTP in [RFC7662].
Note that token introspection is an optional step and can be
omitted if the token is self-contained and the resource server is
prepared to perform the token validation on its own.
Token Introspection Response (E):
The AS validates the token and returns the most recent parameters,
such as "scope", "audience", validity, etc., associated with it
back to the RS. The RS then uses the received parameters to
process the request to either accept or to deny it.
Protected Resource (F):
If the request from the client is authorized, the RS fulfills the
request and returns a response with the appropriate response code.
The RS uses the dynamically established keys to protect the
response according to the communication security protocol used.
The OAuth 2.0 framework defines a number of "protocol flows" via
grant types, which have been extended further with extensions to
OAuth 2.0 (such as [RFC7521] and [RFC8628]). What grant type works
best depends on the usage scenario; [RFC7744] describes many
different IoT use cases, but there are two grant types that cover a
majority of these scenarios, namely the authorization code grant
(described in Section 4.1 of [RFC6749]) and the client credentials
grant (described in Section 4.4 of [RFC6749]). The authorization
code grant is a good fit for use with apps running on smartphones and
tablets that request access to IoT devices, a common scenario in the
smart home environment, where users need to go through an
authentication and authorization phase (at least during the initial
setup phase). The native apps guidelines described in [RFC8252] are
applicable to this use case. The client credentials grant is a good
fit for use with IoT devices where the OAuth client itself is
constrained. In such a case, the resource owner has prearranged
access rights for the client with the authorization server, which is
often accomplished using a commissioning tool.
The consent of the resource owner, for giving a client access to a
protected resource, can be provided dynamically as in the classical
OAuth flows, or it could be preconfigured by the resource owner as
authorization policies at the AS, which the AS evaluates when a token
request arrives. The resource owner and the requesting party (i.e.,
client owner) are not shown in Figure 1.
This framework supports a wide variety of communication security
mechanisms between the ACE entities, such as the client, AS, and RS.
It is assumed that the client has been registered (also called
enrolled or onboarded) to an AS using a mechanism defined outside the
scope of this document. In practice, various techniques for
onboarding have been used, such as factory-based provisioning or the
use of commissioning tools. Regardless of the onboarding technique,
this provisioning procedure implies that the client and the AS
exchange credentials and configuration parameters. These credentials
are used to mutually authenticate each other and to protect messages
exchanged between the client and the AS.
It is also assumed that the RS has been registered with the AS,
potentially in a similar way as the client has been registered with
the AS. Established keying material between the AS and the RS allows
the AS to apply cryptographic protection to the access token to
ensure that its content cannot be modified and, if needed, that the
content is confidentiality protected. Confidentiality protection of
the access token content would be provided on top of confidentiality
protection via a communication security protocol.
The keying material necessary for establishing communication security
between the C and RS is dynamically established as part of the
protocol described in this document.
At the start of the protocol, there is an optional discovery step
where the client discovers the resource server and the resources this
server hosts. In this step, the client might also determine what
permissions are needed to access the protected resource. A generic
procedure is described in Section 5.1; profiles MAY define other
procedures for discovery.
In Bluetooth Low Energy, for example, advertisements are broadcast by
a peripheral, including information about the primary services. In
CoAP, as a second example, a client can make a request to "/.well-
known/core" to obtain information about available resources, which
are returned in a standardized format, as described in [RFC6690].
5. Framework
The following sections detail the profiling and extensions of OAuth
2.0 for constrained environments, which constitutes the ACE
framework.
Credential Provisioning
In constrained environments, it cannot be assumed that the client
and the RS are part of a common key infrastructure. Therefore,
the AS provisions credentials and associated information to allow
mutual authentication between the client and the RS. The
resulting security association between the client and the RS may
then also be used to bind these credentials to the access tokens
the client uses.
Proof of Possession
The ACE framework, by default, implements proof of possession for
access tokens, i.e., that the token holder can prove being a
holder of the key bound to the token. The binding is provided by
the "cnf" (confirmation) claim [RFC8747], indicating what key is
used for proof of possession. If a client needs to submit a new
access token, e.g., to obtain additional access rights, they can
request that the AS binds this token to the same key as the
previous one.
ACE Profiles
The client or RS may be limited in the encodings or protocols it
supports. To support a variety of different deployment settings,
specific interactions between the client and RS are defined in an
ACE profile. In the ACE framework, the AS is expected to manage
the matching of compatible profile choices between a client and an
RS. The AS informs the client of the selected profile using the
"ace_profile" parameter in the token response.
OAuth 2.0 requires the use of TLS to protect the communication
between the AS and client when requesting an access token between the
client and RS when accessing a resource and between the AS and RS if
introspection is used. In constrained settings, TLS is not always
feasible or desirable. Nevertheless, it is REQUIRED that the
communications named above are encrypted, integrity protected, and
protected against message replay. It is also REQUIRED that the
communicating endpoints perform mutual authentication. Furthermore,
it MUST be assured that responses are bound to the requests in the
sense that the receiver of a response can be certain that the
response actually belongs to a certain request. Note that setting up
such a secure communication may require some unprotected messages to
be exchanged first (e.g., sending the token from the client to the
RS).
Profiles MUST specify a communication security protocol between the
client and RS that provides the features required above. Profiles
MUST specify a communication security protocol RECOMMENDED to be used
between the client and AS that provides the features required above.
Profiles MUST specify, for introspection, a communication security
protocol RECOMMENDED to be used between the RS and AS that provides
the features required above. These recommendations enable
interoperability between different implementations without the need
to define a new profile if the communication between the C and AS, or
between the RS and AS, is protected with a different security
protocol complying with the security requirements above.
In OAuth 2.0, the communication with the Token and the Introspection
endpoints at the AS is assumed to be via HTTP and may use Uri-query
parameters. When profiles of this framework use CoAP instead, it is
REQUIRED to use of the following alternative instead of Uri-query
parameters: The sender (client or RS) encodes the parameters of its
request as a CBOR map and submits that map as the payload of the POST
request. The CBOR encoding for a number of OAuth 2.0 parameters is
specified in this document; if a profile needs to use other OAuth 2.0
parameters with CoAP, it MUST specify their CBOR encoding.
Profiles that use CBOR encoding of protocol message parameters at the
outermost encoding layer MUST use the Content-Format "application/
ace+cbor". If CoAP is used for communication, the Content-Format
MUST be abbreviated with the ID: 19 (see Section 8.16).
The OAuth 2.0 AS uses a JSON structure in the payload of its
responses both to the client and RS. If CoAP is used, it is REQUIRED
to use CBOR [RFC8949] instead of JSON. Depending on the profile, the
CBOR payload MAY be enclosed in a non-CBOR cryptographic wrapper.
5.1. Discovering Authorization Servers
The C must discover the AS in charge of the RS to determine where to
request the access token. To do so, the C 1) must find out the AS
URI to which the token request message must be sent and 2) MUST
validate that the AS with this URI is authorized to provide access
tokens for this RS.
In order to determine the AS URI, the C MAY send an initial
Unauthorized Resource Request message to the RS. The RS then denies
the request and sends the address of its AS back to the C (see
Section 5.2). How the C validates the AS authorization is not in
scope for this document. The C may, for example, ask its owner if
this AS is authorized for this RS. The C may also use a mechanism
that addresses both problems at once (e.g., by querying a dedicated
secure service provided by the client owner) .
5.2. Unauthorized Resource Request Message
An Unauthorized Resource Request message is a request for any
resource hosted by the RS for which the client does not have
authorization granted. The RSs MUST treat any request for a
protected resource as an Unauthorized Resource Request message when
any of the following hold:
* The request has been received on an unsecured channel.
* The RS has no valid access token for the sender of the request
regarding the requested action on that resource.
* The RS has a valid access token for the sender of the request, but
that token does not authorize the requested action on the
requested resource.
Note: These conditions ensure that the RS can handle requests
autonomously once access was granted and a secure channel has been
established between the C and RS. The authz-info endpoint, as part
of the process for authorizing to protected resources, is not itself
a protected resource and MUST NOT be protected as specified above
(cf. Section 5.10.1).
Unauthorized Resource Request messages MUST be denied with an
"unauthorized_client" error response. In this response, the resource
server SHOULD provide proper AS Request Creation Hints to enable the
client to request an access token from the RS's AS, as described in
Section 5.3.
The handling of all client requests (including unauthorized ones) by
the RS is described in Section 5.10.2.
5.3. AS Request Creation Hints
The AS Request Creation Hints are sent by an RS as a response to an
Unauthorized Resource Request message (see Section 5.2) to help the
sender of the Unauthorized Resource Request message acquire a valid
access token. The AS Request Creation Hints are a CBOR or JSON map,
with an OPTIONAL element "AS" specifying an absolute URI (see
Section 4.3 of [RFC3986]) that identifies the appropriate AS for the
RS.
The message can also contain the following OPTIONAL parameters:
* An "audience" element containing an identifier the client should
request at the AS, as suggested by the RS. With this parameter,
when included in the access token request to the AS, the AS is
able to restrict the use of the access token to specific RSs. See
Section 6.9 for a discussion of this parameter.
* A "kid" (key identifier) element contains the key identifier of a
key used in an existing security association between the client
and the RS. The RS expects the client to request an access token
bound to this key in order to avoid having to reestablish the
security association.
* A "cnonce" element contains a client-nonce. See Section 5.3.1.
* A "scope" element contains the suggested scope that the client
should request towards the AS.
Table 1 summarizes the parameters that may be part of the AS Request
Creation Hints.
+==========+==========+=====================+
| Name | CBOR Key | Value Type |
+==========+==========+=====================+
| AS | 1 | text string |
+----------+----------+---------------------+
| kid | 2 | byte string |
+----------+----------+---------------------+
| audience | 5 | text string |
+----------+----------+---------------------+
| scope | 9 | text or byte string |
+----------+----------+---------------------+
| cnonce | 39 | byte string |
+----------+----------+---------------------+
Table 1: AS Request Creation Hints
Note that the schema part of the AS parameter may need to be adapted
to the security protocol that is used between the client and the AS.
Thus, the example AS value "coap://as.example.com/token" might need
to be transformed to "coaps://as.example.com/token". It is assumed
that the client can determine the correct schema part on its own
depending on the way it communicates with the AS.
Figure 2 shows an example for an AS Request Creation Hints payload
using diagnostic notation.
4.01 Unauthorized
Content-Format: application/ace+cbor
Payload :
{
/ AS / 1 : "coaps://as.example.com/token",
/ audience / 5 : "coaps://rs.example.com",
/ scope / 9 : "rTempC",
/ cnonce / 39 : h'e0a156bb3f'
}
Figure 2: AS Request Creation Hints Payload Example
In the example above, the response parameter "AS" points the receiver
of this message to the URI "coaps://as.example.com/token" to request
access tokens. The RS sending this response uses an internal clock
that is not synchronized with the clock of the AS. Therefore, it
cannot reliably verify the expiration time of access tokens it
receives. Nevertheless, to ensure a certain level of access token
freshness, the RS has included a "cnonce" parameter (see
Section 5.3.1) in the response. (The hex sequence of the "cnonce"
parameter is encoded in CBOR-based notation in this example.)
Figure 3 illustrates the mandatory use of binary encoding of the
message payload shown in Figure 2.
a4 # map(4)
01 # unsigned(1) (=AS)
78 1c # text(28)
636f6170733a2f2f61732e657861
6d706c652e636f6d2f746f6b656e # "coaps://as.example.com/token"
05 # unsigned(5) (=audience)
76 # text(22)
636f6170733a2f2f72732e657861
6d706c652e636f6d # "coaps://rs.example.com"
09 # unsigned(9) (=scope)
66 # text(6)
7254656d7043 # "rTempC"
18 27 # unsigned(39) (=cnonce)
45 # bytes(5)
e0a156bb3f #
Figure 3: AS Request Creation Hints Example Encoded in CBOR
5.3.1. The Client-Nonce Parameter
If the RS does not synchronize its clock with the AS, it could be
tricked into accepting old access tokens that are either expired or
have been compromised. In order to ensure some level of token
freshness in that case, the RS can use the "cnonce" (client-nonce)
parameter. The processing requirements for this parameter are as
follows:
* An RS sending a "cnonce" parameter in an AS Request Creation Hints
message MUST store information to validate that a given cnonce is
fresh. How this is implemented internally is out of scope for
this specification. Expiration of client-nonces should be based
roughly on the time it would take a client to obtain an access
token after receiving the AS Request Creation Hints, with some
allowance for unexpected delays.
* A client receiving a "cnonce" parameter in an AS Request Creation
Hints message MUST include this in the parameters when requesting
an access token at the AS, using the "cnonce" parameter from
Section 5.8.4.4.
* If an AS grants an access token request containing a "cnonce"
parameter, it MUST include this value in the access token, using
the "cnonce" claim specified in Section 5.10.
* An RS that is using the client-nonce mechanism and that receives
an access token MUST verify that this token contains a "cnonce"
claim, with a client-nonce value that is fresh according to the
information stored at the first step above. If the "cnonce" claim
is not present or if the "cnonce" claim value is not fresh, the RS
MUST discard the access token. If this was an interaction with
the authz-info endpoint, the RS MUST also respond with an error
message using a response code equivalent to the CoAP code 4.01
(Unauthorized).
5.4. Authorization Grants
To request an access token, the client obtains authorization from the
resource owner or uses its client credentials as a grant. The
authorization is expressed in the form of an authorization grant.
The OAuth framework [RFC6749] defines four grant types. The grant
types can be split up into two groups: those granted on behalf of the
resource owner (password, authorization code, implicit) and those for
the client (client credentials). Further grant types have been added
later, such as an assertion-based authorization grant defined in
[RFC7521].
The grant type is selected depending on the use case. In cases where
the client acts on behalf of the resource owner, the authorization
code grant is recommended. If the client acts on behalf of the
resource owner but does not have any display or has very limited
interaction possibilities, it is recommended to use the device code
grant defined in [RFC8628]. In cases where the client acts
autonomously, the client credentials grant is recommended.
For details on the different grant types, see Section 1.3 of
[RFC6749]. The OAuth 2.0 framework provides an extension mechanism
for defining additional grant types, so profiles of this framework
MAY define additional grant types, if needed.
5.5. Client Credentials
Authentication of the client is mandatory independent of the grant
type when requesting an access token from the token endpoint. In the
case of the client credentials grant type, the authentication and
grant coincide.
Client registration and provisioning of client credentials to the
client is out of scope for this specification.
The OAuth framework defines two client credential types in
Section 2.3.1 of [RFC6749]: client id and client secret.
[OAUTH-RPCC] adds raw public key and pre-shared key to the client
credentials types. Profiles of this framework MAY extend with an
additional client credentials type using client certificates.
5.6. AS Authentication
The client credentials grant does not, by default, authenticate the
AS that the client connects to. In classic OAuth, the AS is
authenticated with a TLS server certificate.
Profiles of this framework MUST specify how clients authenticate the
AS and how communication security is implemented. By default, server
side TLS certificates, as defined by OAuth 2.0, are required.
5.7. The Authorization Endpoint
The OAuth 2.0 authorization endpoint is used to interact with the
resource owner and obtain an authorization grant in certain grant
flows. The primary use case for the ACE-OAuth framework is for
machine-to-machine interactions that do not involve the resource
owner in the authorization flow; therefore, this endpoint is out of
scope here. Future profiles may define constrained adaptation
mechanisms for this endpoint as well. Nonconstrained clients
interacting with constrained resource servers can use the
specification in Section 3.1 of [RFC6749] and the attack
countermeasures suggested in Section 4.2 of [RFC6819].
5.8. The Token Endpoint
In standard OAuth 2.0, the AS provides the token endpoint for
submitting access token requests. This framework extends the
functionality of the token endpoint, giving the AS the possibility to
help the client and RS establish shared keys or exchange their public
keys. Furthermore, this framework defines encodings using CBOR as a
substitute for JSON.
The endpoint may also be exposed over HTTPS, as in classical OAuth or
even other transports. A profile MUST define the details of the
mapping between the fields described below and these transports. If
HTTPS with JSON is used, the semantics of Sections 4.1.3 and 4.1.4 of
the OAuth 2.0 specification [RFC6749] MUST be followed (with
additions as described below). If CBOR is used as the payload
format, the semantics described in this section MUST be followed.
For the AS to be able to issue a token, the client MUST be
authenticated and present a valid grant for the scopes requested.