Internet-Draft | Abbreviated Title | October 2023 |
Sudarsan, et al. | Expires 20 April 2024 | [Page] |
This draft proposes a new grant type for OAuth based on PoA-based authorization, that introduces a new role "principal" who controls the client, and enables the client to access resources owned by the resource owner via OAuth authorization server, on behalf of the principal, even if the principal is not online.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 20 April 2024.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
This OAuth 2.0 [OAuth] protocol grant type extension makes the OAuth applicable in a scenario where a principal (e.g., a user) who controls the OAuth client delegates their power to the client which allows the client to access resources from the resource owner on behalf of the user. The subgranting of power from the principal to the client is made possible using the self-contained PoA-based authorization. PoA-based authorization is a generic authorization technique used to authorize devices to access protected resources on behalf of the principal (user). Here, the client includes autonomous/semi-autonomous devices with sufficient resources to take part in the authorization process. PoA adds the following critical properties to OAuth:¶
For example, consider a scenario where a user is occupied with some other tasks and requires data/resources from a third-party web server (resource owner). The user who owns an autonomous/semi-autonomous CPS/IoT device (client) can authorize/delegate their power to their trusted device. This allows the device to request the required resources and act/work on behalf of the principal. This can be achieved with the extension of OAuth grant types with the decentralized PoA-based authorization.¶
The feature of multi-level authorization allows the agent to transfer the PoA to another agent. The parameter transferable in the PoA indicates the allowed number of transfers of the PoA. The first agent sends a different PoA with the root PoA inside to the second agent, by signing the secondary PoA with its private key. The signing along with the generation of secondary PoAs continues with the number of agents in the trust chain. The secondary PoAs can be traced back to the root PoA, which allows the resource owner to identify different agents in the trust chain.¶
The operational assumptions for using this authorization grant type are:¶
While other approaches use lightweight messages, the PoA is an immutable signed message and assumes that the clients are typically not resource-constrained. A detailed explanation of PoA-based authorization and its differences between OAuth and other similar authorization standards can be found here (add information draft link here).¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
There are five roles in the proposed grant type. The role principal is an addition to the existing roles of OAuth protocol.¶
OAuth defines four grant types: authorization code, implicit, resource owner password credentials, and client credentials. It also provides an extension mechanism for defining additional grant types. The proposed newer grant type is PoA-based authorization.¶
PoA-based authorization is used in a scenario, where the principal (user) requires its trusted client/agent to access resources owned by the resource owner (may be different from the principal, based on already established trust relation between the principal and the resource owner) on behalf of the principal, even if the principal is not online. PoA-based authorization adds the principal role to the OAuth protocol [OAuth]. Figure 1 shows the PoA-based OAuth grant type.¶
The flow illustrated in Figure 1 includes the following steps:¶
The PoAs are self-contained tokens that are structured in JWT format. The PoA can be in both JSON or CBOR form and is digitally signed by the principal using his/her private key. PoA can be sent in clear text format or compressed binary format (to be defined). The various parameters included in a PoA are the following:¶
PoA is interpreted whenever the recipient receives the PoA. This can be done using a third-party centralized server, where the interpretation can be performed, which is a similar approach to a public key certificate authority. Another approach is to enable PoA interpretation at every entity point in the PoA-based authorization. This can be achieved by downloading a common library [PoAlibrary] to encode and decode the PoA. This is a similar approach to for example PGP.¶
This specification adds a new OAuth endpoint: the client authorization endpoint. This is different from the OAuth authorization endpoint defined in [OAuth]. Here, the client constructs the request URI by including the "poa" parameter along with the other parameters as defined in OAuth specification to the query component of the authorization endpoint URI using the "application/x-www-form-urlencoded".¶
The authorization server validates the request including the "poa", to ensure that all required parameters are present and valid. If the request is valid, the authorization server authenticates the resource owner and obtains an authorization decision (e.g., by asking the resource owner or by establishing approval via other means).¶
If the resource owner grants the access request, the authorization server issues an authorization code and delivers it to the client same as the OAuth specification.¶
If the request fails due to a missing parameter in the PoA, invalid time, or any suspicious parameters in the PoA, the client can reject the PoA and send an error response back to the principal. In the case of multi-level authorization, the agent in the trust chain can send the error response back to the principal as well as to the agent before. If the resource owner fails to verify the PoA, the resource owner can inform and ask the agent or principal for more data for verification.¶
Access token request and response between the roles authorization server and the client is done according to the Oauth specification.¶
This is an optional step, where the client can send a report (e.g., log details) to the principal on the work done.¶
Spoofing is not a threat in the proposed model. This is because the PoA is digitally signed using a standard public key approach and there are public keys inside the PoA to identify the principals and agents. Hence, even when the attacker sends a poa signed with his/her private key, the agent checks the public key and rejects the poa because it is not part of the agent's trusted public keys.¶
The PoA that is sent from principal to agent can be eavesdropped on. Even though the data inside the PoA may not be sensitive, it's recommended to use TLS for better security and to eliminate privacy attacks. This is the same for the Man-In-The-Middle (MITM) attack.¶
An external agent interrupts the data flowing across the trust boundary in either direction. DoS is mitigated or can decrease the impact by making the attacker consume more of his resources than yours to launch the attack. Make the attacker reply using information from previous message exchanges, to prove they can receive data from you [rfc3552]. Individual targeted DoS attacks is difficult to prevent in this design.¶
While downloading the public library to generate or validate the PoA, the entity might download a malicious one instead of the legitimate lib. This could be prevented with input sanitization or filtering techniques.¶
Thanks to all of the contributors.¶