Third-Party Token-Based Authentication and Authorization for Session Initiation Protocol (SIP)
RFC 8898

Document Type RFC - Proposed Standard (September 2020; No errata)
Updates RFC 3261
Last updated 2020-09-10
Replaces draft-ietf-sipcore-sip-authn
Stream IETF
Formats plain text html xml pdf htmlized bibtex
Reviews
Stream WG state Submitted to IESG for Publication
Document shepherd Jean Mahoney
Shepherd write-up Show (last changed 2020-03-28)
IESG IESG state RFC 8898 (Proposed Standard)
Consensus Boilerplate Yes
Telechat date
Responsible AD Murray Kucherawy
Send notices to Jean Mahoney <mahoney@nostrum.com>
IANA IANA review state Version Changed - Review Needed
IANA action state RFC-Ed-Ack


Internet Engineering Task Force (IETF)                    R. Shekh-Yusef
Request for Comments: 8898                                         Auth0
Updates: 3261                                                C. Holmberg
Category: Standards Track                                       Ericsson
ISSN: 2070-1721                                               V. Pascual
                                                                   Nokia
                                                          September 2020

  Third-Party Token-Based Authentication and Authorization for Session
                       Initiation Protocol (SIP)

Abstract

   This document defines the "Bearer" authentication scheme for the
   Session Initiation Protocol (SIP) and a mechanism by which user
   authentication and SIP registration authorization is delegated to a
   third party, using the OAuth 2.0 framework and OpenID Connect Core
   1.0.  This document updates RFC 3261 to provide guidance on how a SIP
   User Agent Client (UAC) responds to a SIP 401/407 response that
   contains multiple WWW-Authenticate/Proxy-Authenticate header fields.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc8898.

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction
     1.1.  Terminology
     1.2.  Applicability
     1.3.  Token Types and Formats
     1.4.  Example Flows
       1.4.1.  Registration
       1.4.2.  Registration with Preconfigured AS
   2.  SIP Procedures
     2.1.  UAC Behavior
       2.1.1.  Obtaining Tokens and Responding to Challenges
       2.1.2.  Protecting the Access Token
       2.1.3.  REGISTER Request
       2.1.4.  Non-REGISTER Request
     2.2.  User Agent Server (UAS) and Registrar Behavior
     2.3.  Proxy Behavior
   3.  Access Token Claims
   4.  WWW-Authenticate Response Header Field
   5.  Security Considerations
   6.  IANA Considerations
     6.1.  New Proxy-Authenticate Header Field Parameters
     6.2.  New WWW-Authenticate Header Field Parameters
   7.  Normative References
   8.  Informative References
   Acknowledgments
   Authors' Addresses

1.  Introduction

   The Session Initiation Protocol (SIP) [RFC3261] uses the same
   framework as HTTP [RFC7230] to authenticate users: a simple
   challenge-response authentication mechanism that allows a SIP User
   Agent Server (UAS), proxy, or registrar to challenge a SIP User Agent
   Client (UAC) request and allows the UAC to provide authentication
   information in response to that challenge.

   OAuth 2.0 [RFC6749] defines a token-based authorization framework to
   allow an OAuth client to access resources on behalf of its user.

   The OpenID Connect Core 1.0 specification [OPENID] defines a simple
   identity layer on top of the OAuth 2.0 protocol, which enables OAuth/
   OpenID clients to verify the identity of the user based on the
   authentication performed by a dedicated authorization server (AS),
   referred to as OpenID Provider (OP), as well as to obtain basic
   profile information about the user.

   This document defines the "Bearer" authentication scheme for SIP and
   a mechanism by which user authentication and SIP registration
   authorization is delegated to a third party, using the OAuth 2.0
   framework and OpenID Connect Core 1.0.  This kind of user
   authentication enables single sign-on, which allows the user to
   authenticate once and gain access to both SIP and non-SIP services.

   This document also updates [RFC3261] by defining the UAC procedures
   when a UAC receives a 401/407 response with multiple WWW-
   Authenticate/Proxy-Authenticate header fields, providing challenges
   using different authentication schemes for the same realm.

1.1.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
Show full document text