]> RISE AB

Isafjordsgatan 22 Kista 164 40 Sweden marco.tiloca@ri.se

Ericsson AB

Torshamnsgatan 23 Kista 16440 Stockholm Sweden goran.selander@ericsson.com

Security ACE Working Group Internet-Draft This document updates the Authentication and Authorization for Constrained Environments (ACE) framework, for which it defines a method to enforce bidirectional access control by means of a single access token. Therefore, this document updates RFC 9200. Discussion Venues Discussion of this document takes place on the Authentication and Authorization for Constrained Environments Working Group mailing list (ace@ietf.org), which is archived at . Source for this draft and an issue tracker can be found at .

Introduction The Authentication and Authorization for Constrained Environments (ACE) framework defines an architecture to enforce access control for constrained devices. A client (C) requests an assertion of granted permissions from an authorization server (AS) in the form of an access token, then uploads the access token to the target resource server (RS), and finally accesses protected resources at the RS according to the permissions specified in the access token. The framework has as main building blocks the OAuth 2.0 framework , the Constrained Application Protocol (CoAP) for message transfer, Concise Binary Object Representation (CBOR) for compact encoding, and CBOR Object Signing and Encryption (COSE) for self-contained protection of access tokens. In addition, separate profile documents define in detail how the participants in the ACE architecture communicate, especially as to the security protocols that they use. In some deployments using the ACE framework, two devices DEV1 and DEV2 might wish to access each other's protected resources. That is, DEV1 wishes to act as client and access protected resources hosted at DEV2 acting as resource server. At the same, DEV2 also wishes to act as client and access protected resources hosted at DEV1 acting as resource server. In such a case, bidirectional access control can clearly be achieved by means of two separate access tokens, each of which is used to enforce access control in one direction. That is:

• A first access token is requested by and issued to DEV1, for accessing protected resources at DEV2. With respect to this access token, DEV1 is an ACE client, while DEV2 is an ACE RS.
• A second access token is requested by and issued to DEV2, for accessing protected resources at DEV1. With respect to this access token, DEV2 is an ACE client, while DEV1 is an ACE RS.

The two access tokens have to be separately requested and handled by DEV1 and DEV2, separately uploaded at DEV1 and DEV2, and separately managed by the AS (e.g., for providing token introspection or to enforce early token revocation). While this model results in a clean split between the two directions of access control, it also yields substantial interactions and communication overhead for both DEV1 and DEV2. Instead, it can be desirable to achieve the same bidirectional access control without such downsides, by means of a single access token that is requested by and issued to a single device. In order to enable that, this document updates as follows.

• It defines additional parameters and encodings for the OAuth 2.0 token endpoint at the AS (see ). These include:
  • "rev_audience", used by C to provide the AS with an identifier of itself as a reverse audience, and by the AS to possibly confirm that identifier in a response to C. A corresponding access token claim, namely "rev_aud", is also defined in this document.
  • "rev_scope", used by C to ask the AS that the requested access token specifies additional access rights as a reverse scope, allowing the access token's audience to accordingly access protected resources at C. This parameter is also used by the AS to provide C with the access rights that are actually granted as reverse scope to the access token's audience. A corresponding access token claim, namely "rev_scope", is also defined in this document.
• It defines a method for the ACE framework to enforce bidirectional access control by means of a single access token (see ), building on the two new parameters "rev_audience" and "rev_scope" as well as on the corresponding access token claims "rev_aud" and "rev_scope".

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. Readers are expected to be familiar with the terms and concepts described in the ACE framework for Authentication and Authorization , as well as with terms and concepts related to CBOR Web Tokens (CWTs) . The terminology for entities in the considered architecture is defined in OAuth 2.0 . In particular, this includes client (C), resource server (RS), and authorization server (AS). Readers are also expected to be familiar with the terms and concepts related to CoAP , Concise Data Definition Language (CDDL) , CBOR , and COSE . Note that the term "endpoint" is used here following its OAuth definition , aimed at denoting resources such as /token and /introspect at the AS, and /authz-info at the RS. This document does not use the CoAP definition of "endpoint", which is "An entity participating in the CoAP protocol." Furthermore, this document uses the following term originally defined in .

• Token series: a set of access tokens, all of which are bound to the same proof-of-possession (PoP) key and are sequentially issued by the same AS for the same pair (client, audience) per the same profile of ACE. A token series ends when the latest access token of that token series becomes invalid (e.g., when it expires or gets revoked). Profiles of ACE can provide their extended and specialized definition, e.g., by further taking into account the public authentication credentials of C and the RS.

CBOR and CDDL are used in this document. CDDL predefined type names, especially bstr for CBOR byte strings and tstr for CBOR text strings, are used extensively in this document. Examples throughout this document are expressed in CBOR diagnostic notation as defined in and . Diagnostic notation comments are often used to provide a textual representation of the parameters' keys and values. In the CBOR diagnostic notation used in this document, constructs of the form e'SOME_NAME' are replaced by the value assigned to SOME_NAME in the CDDL model shown in of . For example, {e'rev_audience' : "rs1", e'rev_scope_param' : h'00ff'} stands for {56 : "rs1", 57 : h'00ff'}. Note to RFC Editor: Please delete the paragraph immediately preceding this note. Also, in the CBOR diagnostic notation used in this document, please replace the constructs of the form e'SOME_NAME' with the value assigned to SOME_NAME in the CDDL model shown in of . Finally, please delete this note.

New ACE Parameters The rest of this section defines a number of additional parameters and encodings for the OAuth 2.0 token endpoint at the AS.

rev_audience This section defines the additional "rev_audience" parameter. The parameter can be used in an Access Token Request sent by C to the token endpoint at the AS, as well as in the successful Access Token Response sent as reply by the AS.

• The "rev_audience" parameter is OPTIONAL in an Access Token Request. The presence of this parameter indicates that C wishes the requested access token to specify additional access rights. These are intended for the access token's audience to access protected resources at C as the access token's reverse audience. This parameter specifies such a reverse audience as a text string identifier of C. When the Access Token Request is encoded in CBOR, the value of this parameter is encoded as a CBOR text string.
• The "rev_audience" parameter is OPTIONAL in an Access Token Response. If present, it has the same meaning and encoding that it has in the Access Token Request.

Fundamentally, this parameter has the same semantics of the "audience" parameter used in the ACE framework, with the difference that it conveys an identifier of C as a host of protected resources to access, according to the access rights granted as reverse scope to the audience of the access token issued by the AS. The use of this parameter is further detailed in .

rev_scope This section defines the additional "rev_scope" parameter. The parameter can be used in an Access Token Request sent by C to the token endpoint at the AS, as well as in the successful Access Token Response sent as reply by the AS.

• The "rev_scope" parameter is OPTIONAL in an Access Token Request. The presence of this parameter indicates that C wishes the requested access token to specify additional access rights. These are intended for the access token's audience to access protected resources at C as the access token's reverse audience. This parameter specifies such access rights as a reverse scope. When the Access Token Request is encoded in CBOR, the value of this parameter is encoded as a CBOR text string or a CBOR byte string.
• The "rev_scope" parameter is OPTIONAL in an Access Token Response. If present, this parameter specifies the access rights that the AS has actually granted as a reverse scope to the access token's audience, for accessing protected resources at C as the access token's reverse audience.

Fundamentally, this parameter has the same semantics of the "scope" parameter used in the ACE framework, with the difference that it conveys the access rights requested/granted as reverse scope for/to the audience of the access token issued by the AS. The use of this parameter is further detailed in .

Bidirectional Access Control This section considers two devices DEV1 and DEV2 that wish to access each other's protected resources, and defines a method that DEV1 and DEV2 can use to enforce bidirectional access control by means of a single access token. It is assumed that the access token is requested by and issued to DEV1 acting as ACE client. At the same time, the access token specifies access rights concerning the access of DEV1 (DEV2) to protected resources hosted at DEV2 (DEV1). In particular:

• The access token expresses access rights according to which the requesting ACE client DEV1 can access protected resources hosted at the ACE RS DEV2. For this first direction of access control, the target DEV2 is specified by means of the "audience" parameter and the corresponding access token claim "aud", while the access rights are specified by means of the "scope" parameter and the corresponding access token claim "scope". This is the original, primary direction of access control, where the ACE client DEV1 that requests the access token wishes access rights to access protected resources at the ACE RS DEV2.
• The same access token additionally expresses access rights according to which the ACE RS DEV2 can access protected resources hosted at the ACE client DEV1. For this second direction of access control, the target DEV1 is specified by means of the "rev_audience" parameter defined in and the corresponding access token claim "rev_aud" defined in this section, while the access rights are specified by means of the "rev_scope" parameter defined in and the corresponding access token claim "rev_scope" defined in this section. This is the new, secondary direction of access control, where the ACE client DEV1 that requests the access token also wishes access rights for the ACE RS DEV2 to access resources at DEV1. Clearly, this requires the ACE client DEV1 to also act as CoAP server, and the ACE RS DEV2 to also act as CoAP client.

Like for the original case with a single access control direction, the access token is uploaded to the ACE RS DEV2, which processes the access token as per and according to the profile of ACE used by DEV1 and DEV2. The protocol workflow is detailed in the following and , in case only one authorization server or two authorization servers are involved, respectively.

Scenario with One Authorization Server As shown in , this section considers a scenario with a single authorization server AS. Both devices DEV1 and DEV2 are registered at AS, and each of them with permissions to access protected resources at the other device. In the following, DEV1 acts as ACE client by requesting an access token from AS.

Bidirectional access control with one authorization server. | C | +----+ +---+ ]]>

Access Token Request As to the Access Token Request that DEV1 sends to AS, the following applies.

• The "audience" and "scope" parameters are used as defined in , and according to the profile of ACE used by DEV1 and DEV2. In particular, "audience" specifies an identifier of DEV2, while "scope" specifies access rights that DEV1 wishes to obtain for accessing protecting resources at DEV2. That is, the two parameters pertain to the primary direction of access control.
• The "req_cnf" parameter defined in can be included. When present, it specifies the key that DEV1 wishes to bind to the requested access token.
• The "rev_audience" and "rev_scope" parameters defined in and can be included. In particular, "rev_audience" specifies an identifier of DEV1, while "rev_scope" specifies access rights that DEV1 wishes for DEV2 to obtain for accessing protecting resources at DEV1. That is, the two parameters pertain to the secondary direction of access control.

If DEV1 wishes that the requested access token also provides DEV2 with access rights pertaining to the secondary direction of access control, then the Access Token Request has to include at least one of the two parameters "rev_audience" and "rev_scope".

Access Token Response When receiving an Access Token Request that includes at least one of the two parameters "rev_audience" and "rev_scope", AS processes it as defined in , with the following additions:

• If the Access Token Request includes the "rev_scope" parameter but not the "rev_audience" parameter, then AS assumes the identifier of DEV1 to be the default one, if any is defined.
• If the Access Token Request includes the "rev_audience" parameter but not the "rev_scope" parameter, then AS assumes the access rights requested for DEV2 to access DEV1 to be the default ones, if any are defined.
• AS checks whether the access rights requested for DEV2 as reverse scope can be at least partially granted, in accordance with the installed access policies pertaining to the access to protected resources at DEV1 from DEV2. That is, AS performs the same evaluation that it would perform if DEV2 sent an Access Token Request as an ACE client, with the intent to access protected resources at DEV1 as an ACE RS. It is REQUIRED that such evaluation succeeds, in order for AS to issue an access token and reply to DEV1 with a successful Access Token Response.

As to the successful Access Token Response that AS sends to DEV1, the following applies.

• The "audience" and "scope" parameters are used as defined in , and according to the profile of ACE used by DEV1 and DEV2. In particular, "audience" specifies an identifier of DEV2, while "scope" specifies the access rights that AS has granted to DEV1 for accessing protecting resources at DEV2. The "scope" parameter has to be present if: i) it was present in the Access Token Request, and the access rights granted to DEV1 are different from the requested ones; or ii) it was not present in the Access Token Request, and the access rights granted to DEV1 are different from the default ones. If the "scope" parameter is not present, then the granted access rights are the same as those requested by the "scope" parameter in the Access Token Request if present therein, or the default access rights otherwise.
• The "rs_cnf" parameter defined in can be included. When present, it specifies information about the public key that DEV2 uses to authenticate.
• The "rev_audience" parameter defined in can be included, and specifies an identifier of DEV1. If the "rev_audience" parameter is present in the Access Token Response and it was also present in the Access Token Request, then the parameter in the Access Token Response MUST have the same value specified by the parameter in the Access Token Request.
• The "rev_scope" parameter defined in can be included, and specifies access rights that AS has granted to DEV2 for accessing protecting resources at DEV1. The "rev_scope" parameter MUST be present if: i) it was present in the Access Token Request, and the access rights granted to DEV2 are different from the requested ones; or ii) it was not present in the Access Token Request, and the access rights granted to DEV2 are different from the default ones. If the "rev_scope" parameter is not present, then the access rights granted to DEV2 are the same as those requested by the "rev_scope" parameter in the Access Token Request if present therein, or the default access rights otherwise.

The issued access token MUST include information about the reverse audience and reverse scope pertaining to the secondary access control direction. In particular:

• The access token MUST contain a claim specifying the identifier of DEV1. If the Access Token Response includes the "rev_audience" parameter, then the claim specifies the same information conveyed by that parameter. If this is not the case, then the claim specifies the same information conveyed by the "rev_audience" parameter of the Access Token Request, if included therein, or the default identifier of DEV1 otherwise. When CWTs are used as access tokens, this information MUST be transported in the "rev_aud" claim registered in .
• The access token MUST contain a claim specifying the access rights that AS has granted to DEV2 for accessing protecting resources at DEV1. If the Access Token Response includes the "rev_scope" parameter, then the claim specifies the same information conveyed by that parameter. If this is not the case, then the claim specifies the same information conveyed by the "rev_scope" parameter of the Access Token Request, if included therein, or the default access rights for DEV2 to access DEV1 otherwise. When CWTs are used as access tokens, this information MUST be transported in the "rev_scope" claim, registered in .

Access to Protected Resources As to the secure communication association between DEV1 and DEV2, its establishment and maintenance do not deviate from what is defined in the profile of ACE used by DEV1 and DEV2. Furthermore, communications between DEV1 and DEV2 MUST rely on such secure communication association for both directions of access control, i.e., when DEV1 accesses protected resources at DEV2 and vice versa. After having received a successful Access Token Response from AS, DEV1 MUST maintain and enforce the information about the access rights granted to DEV2 and pertaining to the secondary access control direction. In particular, DEV1 MUST prevent DEV2 from accessing protected resources at DEV1, in case access requests from DEV2 are not authorized as per the reverse scope specified by the issued access token, or after having purged the issued access token (e.g., following its expiration of revocation).

Scenario with Two Authorization Servers TBD

Practical Considerations When enforcing bidirectional access control by means of a single access token, the following considerations hold.

• The access token can be uploaded to the ACE RS DEV2 by the ACE client per the original ACE workflow, or by the AS that has issued the access token per the alternative ACE workflow defined in .
• Since the access token is requested by the ACE client DEV1, only DEV1 can request for a new access token in the same token series, in order to dynamically update the access rights concerning its own access to protected resources hosted by DEV2 (on the primary access control direction) and/or the access rights concerning the access of DEV2 to access protected resources hosted by DEV1 (on the secondary access control direction).

Security Considerations The same security considerations from the ACE framework for Authentication and Authorization apply to this document, together with those from the specific profile of ACE used. Editor's note: add more security considerations.

IANA Considerations This document has the following actions for IANA. Note to RFC Editor: Please replace all occurrences of "[RFC-XXXX]" with the RFC number of this specification and delete this paragraph.

OAuth Parameters Registry IANA is asked to add the following entries to the "OAuth Parameters" registry.

• Name: "rev_audience"
• Parameter Usage Location: token request and token response
• Change Controller: IETF
• Reference: [RFC-XXXX]

• Name: "rev_scope"
• Parameter Usage Location: token request and token response
• Change Controller: IETF
• Reference: [RFC-XXXX]

OAuth Parameters CBOR Mappings Registry IANA is asked to add the following entries to the "OAuth Parameters CBOR Mappings" registry, following the procedure specified in .

• Name: "rev_audience"
• CBOR Key: TBD
• Value Type: text string
• Reference: [RFC-XXXX]
• Original Specification: [RFC-XXXX]

• Name: "rev_scope"
• CBOR Key: TBD
• Value Type: text string or byte string
• Reference: [RFC-XXXX]
• Original Specification: [RFC-XXXX]

JSON Web Token Claims Registry IANA is asked to add the following entries to the "JSON Web Token Claims" registry, following the procedure specified in .

• Claim Name: "rev_aud"
• Claim Description: The reverse audience of an access token
• Change Controller: IETF
• Reference: [RFC-XXXX]

• Claim Name: "rev_scope"
• Claim Description: The reverse scope of an access token
• Change Controller: IETF
• Reference: [RFC-XXXX]

CBOR Web Token (CWT) Claims Registry IANA is asked to add the following entries to the "CBOR Web Token (CWT) Claims" registry, following the procedure specified in .

• Claim Name: "rev_aud"
• Claim Description: The reverse audience of an access token
• JWT Claim Name: "rev_aud"
• Claim Key: TBD
• Claim Value Type: text string
• Change Controller: IETF
• Reference: of [RFC-XXXX]

• Claim Name: "rev_scope"
• Claim Description: The reverse scope of an access token
• JWT Claim Name: "rev_scope"
• Claim Key: TBD
• Claim Value Type: text string or byte string
• Change Controller: IETF
• Reference: of [RFC-XXXX]

References Normative References The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK] The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks. The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s. The protocol is designed for machine- to-machine (M2M) applications such as smart energy and building automation. CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the Web such as URIs and Internet media types. CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments. JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted. CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR), and CBOR Object Signing and Encryption (COSE) is used for added application-layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value. CWT is derived from JSON Web Token (JWT) but uses CBOR rather than JSON. This document proposes a notational convention to express Concise Binary Object Representation (CBOR) data structures (RFC 7049). Its main goal is to provide an easy and unambiguous way to express structures for protocol messages and data formats that use CBOR or JSON. The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack. This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format. Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR. This document, along with RFC 9053, obsoletes RFC 8152. Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines a set of algorithms that can be used with the CBOR Object Signing and Encryption (COSE) protocol (RFC 9052). This document, along with RFC 9052, obsoletes RFC 8152. This specification defines a framework for authentication and authorization in Internet of Things (IoT) environments called ACE-OAuth. The framework is based on a set of building blocks including OAuth 2.0 and the Constrained Application Protocol (CoAP), thus transforming a well-known and widely used authorization solution into a form suitable for IoT devices. Existing specifications are used where possible, but extensions are added and profiles are defined to better serve the IoT use cases. This specification defines new parameters and encodings for the OAuth 2.0 token and introspection endpoints when used with the framework for Authentication and Authorization for Constrained Environments (ACE). These are used to express the proof-of-possession (PoP) key the client wishes to use, the PoP key that the authorization server has selected, and the PoP key the resource server uses to authenticate to the client. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References RISE AB Ericsson AB This document updates the Authentication and Authorization for Constrained Environments Framework (ACE, RFC 9200) as follows. (1) It defines the Short Distribution Chain (SDC) workflow that the authorization server can use for uploading an access token to a resource server on behalf of the client. (2) For the OAuth 2.0 token endpoint, it defines new parameters and encodings, and extends the semantics of the "ace_profile" parameter. (3) It defines how the client and the authorization server can coordinate on the exchange of the client's and resource server's public authentication credentials, when those can be transported by value or identified by reference; this extends the semantics of the "rs_cnf" parameter for the OAuth 2.0 token endpoint, thus updating RFC 9201. (4) It amends two of the requirements on profiles of the framework. (5) It deprecates the original payload format of error responses conveying an error code, when CBOR is used to encode message payloads. For those responses, it defines a new payload format aligned with RFC 9290, thus updating in this respect also the profiles defined in RFC 9202, RFC 9203, and RFC 9431.

CDDL Model

CDDL model

Acknowledgments The authors sincerely thank and for their comments and feedback. This work was supported by the Sweden's Innovation Agency VINNOVA within the EUREKA CELTIC-NEXT project CYPRESS.