Hi Hannes,
Sorry for the delayed answer but I have been travelling for a couple of days.
This code is a first JAVA prototype that implements the actors, messages and
flows that are defined in draft-cuellar-ace-pat-priv-enhanced-authz-tokens-03.
I will try to give you an overview:
- You can find several examples that demonstrate the features of the
draft/prototype in src/test/java/com/atos/ari/rerum/ace. For instance in
CompleteTestSuccess.java:
- We have a ResourceServer (lines 74-86) that hosts a resource which
will be used for the tests (this functionality would be implemented in a
constrained device)
- We have an AuthorizationServer (lines 89-106) that will perform the
authorization process on behalf of the ResourceServer and which uses a set of
policies defined a JSON file. This is out of the scope of the draft, but we
have followed this approach to achieve a complete test.
- A client wants to get access to the resource but as it does not have
an valid access token, the resource server will return an Unauthorized response
with the information about the AuthorizationServer that must be contacted
(lines 127-135).
- The client uses this information to ask the AuthorizationServer an
AccessToken that covers its request over the ResourceServer. In this case, a
GET operation. (lines 138- 141)
- The client uses part of the ClientToken to perform an authorized
resource request to the resource server (lines 143 - 152)
- The client uses part of the ClientToken to unencrypt the answer
received from the ResourceServer (lines 155 -167 )
- In the rest of the code, a similar process if followed to perform a
POST operation.
- The implementation of the actors can be found under
src/main/java/com/atos/ari/rerum/ace folder: AuthorizationServer, Client,
ResourceAce and ResourceServer. All these classes are used in the examples like
the one I mentioned before.
- In src/main/java/com/atos/ari/rerum/ace/messages, you can find the classes
that implement the different messages that are exchanged as part of the
protocol flow, e.g., the sam information message (SamInformationMessage), the
access token request message (AccessRequestMessage), the client token
(TicketTransferMessage, TicketTransferMessageFace) and the access token
(AccessToken). The access token is embedded in the payload as described in the
draft. We use AcePayload class for this part. As you can see, the contents of
the payload are encrypted to protect data confidentiality.
In src/main/java/com/atos/ari/rerum/ace/crypto, you can find the classes that
implement the different algorithms that are initially proposed in the draft.
For instance:
- AEAD_CHACHA20_POLY130 for authenticat4ed encryption of payloads.
- Poly1305 to generate the verifier (part of the ClientToken that is
sent from the AuthorizationServer to the Client and used to encrypt payload)
The next step would be to implement the Client actor and its functionality in a
real constrained device. As I explained you in Berlin, this is in our roadmap
but we are going also to follow your comments and try to align first this draft
with draft-ietf-ace-oauth-authz-02.
@Jorge, @Prabha, please correct me if anything is not totally correct and feel
free to add what you consider of interest.
I hope that this explanation is useful to understand better the code but if you
have more doubts, please don't hesitate in ask me again!
BR,
Daniel
Daniel Calvo
Energy and Transport Market
Atos Research and Innovation
Tel: +34 946 66 20 82
[email protected]
C/Real Consulado s/n,
Polígono Industrial Candina
39011 Santander
www.atosresearch.eu
Feel free to download our booklet at
https://atos.net/en/insights-and-innovation/innovation-labs
This e-mail and the documents attached are confidential and intended solely for
the addressee; it may also be privileged. If you receive this e-mail in error,
please notify the sender immediately and destroy it.
As its integrity cannot be secured on the Internet, the Atos group liability
cannot be triggered for the message content. Although the sender endeavors to
maintain a computer virus-free network, the sender does not warrant that this
transmission is virus-free and will not be liable for any damages resulting
from any virus transmitted.
Este mensaje y los ficheros adjuntos pueden contener información confidencial
destinada solamente a la(s) persona(s) mencionadas anteriormente y pueden estar
protegidos por secreto profesional.
Si usted recibe este correo electrónico por error, gracias por informar
inmediatamente al remitente y destruir el mensaje.
Al no estar asegurada la integridad de este mensaje sobre la red, Atos no se
hace responsable por su contenido. Su contenido no constituye ningún compromiso
para el grupo Atos, salvo ratificación escrita por ambas partes.
Aunque se esfuerza al máximo por mantener su red libre de virus, el emisor no
puede garantizar nada al respecto y no será responsable de cualesquiera daños
que puedan resultar de una transmisión de virus.
This e-mail and the documents attached are confidential and intended solely for
the addressee; it may also be privileged. If you receive this e-mail in error,
please notify the sender immediately and destroy it.
As its integrity cannot be secured on the Internet, the Atos group liability
cannot be triggered for the message content. Although the sender endeavors to
maintain a computer virus-free network, the sender does not warrant that this
transmission is virus-free and will not be liable for any damages resulting
from any virus transmitted.
Este mensaje y los ficheros adjuntos pueden contener información confidencial
destinada solamente a la(s) persona(s) mencionadas anteriormente y pueden estar
protegidos por secreto profesional.
Si usted recibe este correo electrónico por error, gracias por informar
inmediatamente al remitente y destruir el mensaje.
Al no estar asegurada la integridad de este mensaje sobre la red, Atos no se
hace responsable por su contenido. Su contenido no constituye ningún compromiso
para el grupo Atos, salvo ratificación escrita por ambas partes.
Aunque se esfuerza al máximo por mantener su red libre de virus, el emisor no
puede garantizar nada al respecto y no será responsable de cualesquiera daños
que puedan resultar de una transmisión de virus.
-----Original Message-----
From: Hannes Tschofenig [mailto:[email protected]]
Sent: Monday, September 26, 2016 10:24 AM
To: Calvo Alonso, Daniel; [email protected]
Cc: Kasinathan, Prabhakaran; Cuellar, Jorge; Gato, Jose
Subject: Re: [Ace] Correct url for
draft-cuellar-ace-pat-priv-enhanced-authz-tokens source code
Hi Daniel,
could you provide a bit of info what you have implemented?
(I know that I can look at the code myself but you probably know all the
details from the top of your head.)
Ciao
Hannes
On 08/31/2016 10:11 AM, Calvo Alonso, Daniel wrote:
> Dear all,
>
> As I promised during my presentation in the ACE WG meeting in Berlin,
> this is the correct link to
> draft-cuellar-ace-pat-priv-enhanced-authz-tokens prototype source code:
>
> _https://gitlab.atosresearch.eu/ari/ACE-PAT-pub_
>
> Please, don't hesitate in contact me in case you have any doubt or problem.
>
> With my best regards,
>
> *Daniel Calvo*
> Energy and Transport Market
> Atos Research and Innovation
> Tel: +34 946 66 20 82
> [email protected]_ <mailto:[email protected]> C/Real
> Consulado s/n, Polígono Industrial Candina
> 39011 Santander
> _www.atosresearch.eu_ <http://www.atosresearch.eu/>
>
>
> *Feel free to download our booklet at*
> _http://atos.net/en-us/home/we-are/insights-innovation/research-and-in
> novation.html_
>
>
> This e-mail and the documents attached are confidential and intended
> solely for the addressee; it may also be privileged. If you receive
> this e-mail in error, please notify the sender immediately and destroy it.
> As its integrity cannot be secured on the Internet, the Atos group
> liability cannot be triggered for the message content. Although the
> sender endeavors to maintain a computer virus-free network, the sender
> does not warrant that this transmission is virus-free and will not be
> liable for any damages resulting from any virus transmitted.
>
> Este mensaje y los ficheros adjuntos pueden contener información
> confidencial destinada solamente a la(s) persona(s) mencionadas
> anteriormente y pueden estar protegidos por secreto profesional.
> Si usted recibe este correo electrónico por error, gracias por
> informar inmediatamente al remitente y destruir el mensaje.
> Al no estar asegurada la integridad de este mensaje sobre la red, Atos
> no se hace responsable por su contenido. Su contenido no constituye
> ningún compromiso para el grupo Atos, salvo ratificación escrita por
> ambas partes.
> Aunque se esfuerza al máximo por mantener su red libre de virus, el
> emisor no puede garantizar nada al respecto y no será responsable de
> cualesquiera daños que puedan resultar de una transmisión de virus.
> This e-mail and the documents attached are confidential and intended
> solely for the addressee; it may also be privileged. If you receive
> this e-mail in error, please notify the sender immediately and destroy it.
> As its integrity cannot be secured on the Internet, the Atos group
> liability cannot be triggered for the message content. Although the
> sender endeavors to maintain a computer virus-free network, the sender
> does not warrant that this transmission is virus-free and will not be
> liable for any damages resulting from any virus transmitted.
>
> Este mensaje y los ficheros adjuntos pueden contener información
> confidencial destinada solamente a la(s) persona(s) mencionadas
> anteriormente y pueden estar protegidos por secreto profesional.
> Si usted recibe este correo electrónico por error, gracias por
> informar inmediatamente al remitente y destruir el mensaje.
> Al no estar asegurada la integridad de este mensaje sobre la red, Atos
> no se hace responsable por su contenido. Su contenido no constituye
> ningún compromiso para el grupo Atos, salvo ratificación escrita por
> ambas partes.
> Aunque se esfuerza al máximo por mantener su red libre de virus, el
> emisor no puede garantizar nada al respecto y no será responsable de
> cualesquiera daños que puedan resultar de una transmisión de virus.
>
>
>
> This e-mail and the documents attached are confidential and intended
> solely for the addressee; it may also be privileged. If you receive
> this e-mail in error, please notify the sender immediately and destroy it.
> As its integrity cannot be secured on the Internet, the Atos group
> liability cannot be triggered for the message content. Although the
> sender endeavors to maintain a computer virus-free network, the sender
> does not warrant that this transmission is virus-free and will not be
> liable for any damages resulting from any virus transmitted.
>
> Este mensaje y los ficheros adjuntos pueden contener información
> confidencial destinada solamente a la(s) persona(s) mencionadas
> anteriormente y pueden estar protegidos por secreto profesional.
> Si usted recibe este correo electrónico por error, gracias por
> informar inmediatamente al remitente y destruir el mensaje.
> Al no estar asegurada la integridad de este mensaje sobre la red, Atos
> no se hace responsable por su contenido. Su contenido no constituye
> ningún compromiso para el grupo Atos, salvo ratificación escrita por
> ambas partes.
> Aunque se esfuerza al máximo por mantener su red libre de virus, el
> emisor no puede garantizar nada al respecto y no será responsable de
> cualesquiera daños que puedan resultar de una transmisión de virus.
>
>
> _______________________________________________
> Ace mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/ace
>
This e-mail and the documents attached are confidential and intended solely for
the addressee; it may also be privileged. If you receive this e-mail in error,
please notify the sender immediately and destroy it.
As its integrity cannot be secured on the Internet, the Atos group liability
cannot be triggered for the message content. Although the sender endeavors to
maintain a computer virus-free network, the sender does not warrant that this
transmission is virus-free and will not be liable for any damages resulting
from any virus transmitted.
Este mensaje y los ficheros adjuntos pueden contener información confidencial
destinada solamente a la(s) persona(s) mencionadas anteriormente y pueden estar
protegidos por secreto profesional.
Si usted recibe este correo electrónico por error, gracias por informar
inmediatamente al remitente y destruir el mensaje.
Al no estar asegurada la integridad de este mensaje sobre la red, Atos no se
hace responsable por su contenido. Su contenido no constituye ningún compromiso
para el grupo Atos, salvo ratificación escrita por ambas partes.
Aunque se esfuerza al máximo por mantener su red libre de virus, el emisor no
puede garantizar nada al respecto y no será responsable de cualesquiera daños
que puedan resultar de una transmisión de virus.
_______________________________________________
Ace mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ace
