2-levels Access control for HTTP binding

Group Name: WG4 (& WG2/WG3 for information)Source: Shingo Fujimoto, FUJITSU, shingo_fujimoto@jp.fujitsu.comMeeting Date: 2014-03-05Agenda Item: Access Control in protocol

© 2014 oneM2M PartnersSEC-2014-0222-2-Levels_Access_Control

Introduction

• That is not clear yet how to implement 2-levels access control which is introduced in ArchTS

• This contribution proposed how we can implement 2 level of access control on HTTP considering best practices found in real world.

2

© 2014 oneM2M PartnersSEC-2014-0222-2-Levels_Access_Control

2-levels Access Control Model

AE

Local CSE

IN-CSE

Hosting CSE

Check if AE is registered

Check if AE is authorized to

access resource

Mca

Mcc Mcc

3

© 2014 oneM2M PartnersSEC-2014-0222-2-Levels_Access_Control

(High Level) Proposal

• Introduce token-based access control mechanism for HTTP Protocol binding as well as traditional password-based access control

• OAuth2 specification should be considered as the solution for HTTP protocol binding for access control mechanism

4

© 2014 oneM2M PartnersSEC-2014-0222-2-Levels_Access_Control

[FYI] Access Control for HTTP

• Basic Authentication– Widely used to authenticate identity with pre-

shared secret (=password)

• Bearer Authorization [RFC6750]– Widely used to carry the access token data which

can work with OAuth2 based systems

5

© 2014 oneM2M PartnersSEC-2014-0222-2-Levels_Access_Control

Proposal on implementation

• Local CSE will behave as proxy-server• AE will connect to Local CSE, and request to

establish TLS connection to targeted Host by issuing CONNECT method.

• Targeted CSE may forward the request to 1-hop further CSE.

• The credential to pass the check if AE is registered to be carried by “Proxy-Authorization” header

6

© 2014 oneM2M PartnersSEC-2014-0222-2-Levels_Access_Control

[FYI] Communication FlowAE Local CSE IN-CSE hosting-CSE

Establish TLS session

CONNECT m2m.example.com:443 HTTP/1.1 Host: lcse.example.comProxy-Authorization: <access_key>

CONNECT incse.example.com:443 HTTP/1.1

GET /cse3/foo/bar HTTP/1.1Host: m2m.example.comAuthorization: Bearer <access_token>

CONNECT hcse.example.com:443 HTTP/1.1

Reqs over TLS connction

7

© 2014 oneM2M PartnersSEC-2014-0222-2-Levels_Access_Control

Proposal

• WG4 member should consider on feasibility of proposed solution to implement 2-levels access control

• WG4 member should consider on required APIs to accommodate proposed solution.

8