Hi all, Simon asked us (Derek and myself) to do a quick review of this document developed within another working group that happens to use OAuth.
* Background TURN is a special tunnelling gateway (very much like an IPsec gateway would be) but designed specifically to relay voice/video traffic. To prevent attacks a TURN client (such as a VoIP phone) uses a shared secret (username & password) with the TURN server (=gateway). So, if Alice calls Bob and uses a TURN server then her VoIP client uses SIP or WebRTC (as a signaling protocol) to establish the necessary communication so that voice packets can be exchanged between the two VoIP clients with the help of the TURN server. The main idea of this document is to re-use OAuth to authorize the use of this TURN server. * The Design I would have used OAuth as is (or maybe selected a specific grant type) to obtain an access token. Then, I would have defined how the access token is carried in the TURN protocol. This is a bit similar what we have already done with the OAuth SASL draft where we defined a new way to convey the access token from the SASL client to the SASL server. How did the authors solve that problem? They pretty much did what I just explained. Since TURN does not use DTLS (or TLS) the proof-of-possession security work we are doing becomes relevant (namely the symmetric key-based part). Putting discovery information in-band into the exchange is also find (which is what we did in the SASL document). Instead of using the JWT access token format the authors have defined a new, binary encoding to keep the size smaller. The OAuth framework allows other token formats to be used - so that's fine as well. (As a minor remark, I would use AEAD ciphers here since that's what everyone is doing noways.) Two things surprised me: a) The spec leaves the way to obtain the access token pretty much open. A big benefit from using OAuth is that there is a protocol mechanism defined for getting the access token. You could, for example, recommend using authorization code flow. This concerns the text written in Section 4. b) You describe a key establishment scheme to be used between the resource server and the authorization server. What assumption do you make about the relationship between the authorization server and the resource server? Are they supposed to have a business relationship or some other relationship with each other? Minor aspects: * Would the TURN server name really be an email alike address rather than a URI? * Would you use Dynamic Client Registration to provision the client with the necessary parameter? Is there the expectation that random clients would work with random authorization servers? * Wouldn't you want to define a scope value for use with the TURN service so that the authorization server is able to restrict the access token for use with TURN only? * Crypto algorithm negotiation: would you expect the authorization server to tell the client what crypto algorithms to use (since the authorization server not only needs to share a key with the resource server but also needs to have knowledge about the supported cryptographic algorithms)? * In your TURN <-> OAuth terminology mapping you say that the resource owner corresponds to the RTCWeb server. I don't think that's true. The resource owner is the user but I believe you are trying to say that the user grants authorization implicitly by making a WebRTC call. Ciao Hannes
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
