You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: openid-caep-interoperability-profile-1_0.md
+44-4Lines changed: 44 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -21,8 +21,6 @@ author:
21
21
name: Atul Tulshibagwale
22
22
org: SGNL
23
23
email: atul@sgnl.ai
24
-
25
-
contributor:
26
24
-
27
25
ins: A. Deshpande
28
26
name: Apoorva Deshpande
@@ -74,10 +72,25 @@ normative:
74
72
ins: A. Tulshibagwale
75
73
name: Atul Tulshibagwale
76
74
org: SGNL
77
-
75
+
RFC7525: # Recommendations for Secure Use of Transport Layer Security
76
+
RFC6125: # Representation and Verification of Domain-Based Application Service Identity within Internet Public Key
77
+
# Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)
78
+
RFC6750: # The OAuth 2.0 Authorization Framework: Bearer Token Usage
79
+
RFC8414: # OAuth 2.0 Authorization Server Metadata
80
+
OAUTH:
81
+
target: https://www.rfc-editor.org/info/rfc6749
82
+
title: The OAuth 2.0 Authorization Framework
83
+
author:
84
+
-
85
+
ins: D. Hardt, Ed
86
+
name: Dick Hardt
87
+
org: Microsoft
78
88
79
89
--- abstract
80
-
This document defines an interoperability profile for implementations of the Shared Signals Framework (SSF) {{SSF}} and the Continuous Access Evaluation Profile (CAEP) {{CAEP}}. It is organized around use-cases that improve security of authenticated sessions. It specifies certain optional elements from within the SSF and CAEP specifications as being required to be supported in order to be considered as an interoperable implementation.
90
+
This document defines an interoperability profile for implementations of the Shared Signals Framework (SSF) {{SSF}}, the Continuous Access Evaluation Profile (CAEP) {{CAEP}} and the OAuth 2.0 Authorization Framework (OAuth) {{OAUTH}}. It is organized around use-cases that improve security of authenticated sessions. It specifies certain optional elements from within the SSF and CAEP specifications as being required to be supported in order to be considered as an interoperable implementation.
91
+
92
+
Interoperability between the SSF, CAEP and the OAuth framework empowers organizations to leverage the strengths of these standards, bringing in
93
+
more security to the APIs.
81
94
82
95
--- middle
83
96
@@ -93,6 +106,11 @@ Credential Change
93
106
# Common Requirements {#common-requirements}
94
107
The following requirements are common across all use-cases defined in this document.
95
108
109
+
## Network layer protection
110
+
* The SSF transmitter MUST offer TLS protected endpoints and shall establish connections to other servers using TLS. TLS connections MUST be set up to use TLS version 1.2 or later.
111
+
* When using TLS 1.2, follow the recommendations for Secure Use of Transport Layer Security in [RFC7525]{{RFC7525}}.
112
+
* The SSF receiver MUST perform a TLS server certificate check before calling the SSF transmitter APIs, as per [RFC6125]{{RFC6125}}.
113
+
96
114
## Transmitters {#common-transmitters}
97
115
Transmitters MUST implement the following features:
98
116
@@ -175,6 +193,28 @@ Receivers MUST be prepared to accept events with any of the subject identifier f
175
193
## Event Signatures
176
194
All events MUST be signed using the `RS256` algorithm using a minimum of 2048-bit keys.
177
195
196
+
## OAuth Service
197
+
198
+
### Authorization Server
199
+
* SHALL distribute discovery metadata (such as the authorization endpoint) via the metadata document as specified in [RFC8414]{{RFC8414}}
200
+
* MUST support at least one of the following to obtain a short-lived access token
201
+
** client credential grant flow
202
+
** authorization code flow
203
+
204
+
### OAuth Scopes
205
+
206
+
* Authorization server MUST reserve the scopes for the SSF endpoints with the prefix of `ssf`
207
+
* All the SSF stream configuration management API operations MUST be protected using `ssf.manage` scope
208
+
* All the SSF stream configuration Read API operations MUST be protected by `ssf.read` scope
209
+
* Authorization server MAY decide to postfix scope names with more granular operations eg. `ssf.manage.create`, `ssf.manage.update` etc.
210
+
* Transmitter managed poll endpoint MAY use the scope in the same nomenclature as `ssf.manage.poll`
211
+
212
+
### The SSF Transmitter as a Resource Server
213
+
* MUST accept access tokens in the HTTP header as in Section 2.1 of OAuth 2.0 Bearer Token Usage [RFC6750]{{RFC6750}}
214
+
* MUST NOT accept access tokens in the query parameters stated in Section 2.3 of OAuth 2.0 Bearer Token Usage [RFC6750]{{RFC6750}}
215
+
* SHALL verify the validity, integrity, expiration and revocation status of access tokens
216
+
* SHALL verify that the authorization represented by the access token is sufficient for the requested resource access and otherwise return errors as in section 3.1 of [RFC6750]{{RFC6750}}
217
+
178
218
# Use Cases
179
219
Implementations MAY choose to support one or more of the following use-cases in order to be considered interoperable implementations
0 commit comments