SEC-2015-0571-TR-0019_A_Proposal_of_Token_Issuance_General_Procedure_Part
1
2
3
I NPUT C ONTRIB UTION
Meeting ID*
SEC#18
Title:*
TR-0019 A Proposal of Token Issuance General Procedure Part
Source:*
Wei Zhou, Datang, zhouwei@catt.cn
Hui Xu, Datang, xuhui@catt.cn
Uploaded Date:*
2015-07-20
Document(s)
SEC WI-0019, oneM2M-TR-0019
Impacted*
Intended purpose of
Decision
document:*
Discussion
Information
Other <specify>
Decision requested or
recommendation:*
Agree for inclusion in TR-0019.
Template Version:23 February 2015 (Dot not modify)
4
5
oneM2M Notice
6
7
8
9
The document to which this cover statement is attached is submitted to oneM2M. Participation in, or attendance at, any
activity of oneM2M, constitutes acceptance of and agreement to be bound by terms of the Working Procedures and the
Partnership Agreement, including the Intellectual Property Rights (IPR) Principles Governing oneM2M Work found in
Annex 1 of the Partnership Agreement.
10
11
© 2015 oneM2M Partners
Page 1 (of 2)
SEC-2015-0571-TR-0019_A_Proposal_of_Token_Issuance_General_Procedure_Part
12
Header
13
1 Introduction
14
15
This contribution provides a solution about access token issuance and use in oneM2M Dynamic
Authorization System.
16
2 Proposal
17
8.x
Proposal N: A Solution of Access Token Issuance and Use
18
8.x.1
Access Token Issuance Architecture
19
8.x.2
General Procedure of Token Issuance and Use
20
The generic procedure of token issuance and use is shown in figure 8.x.2-2 and described as follows:
Originator
Token Authority
Hosting CSE
1:Security association establishment
2:Access token request
3.1:Check access control policies
3.2:Check access token authorization policies
3.3:Generate access token plaintext
3.4:Sign and/or encrypt the token
4:Access token response
5:Issue access token revocation list
6:Security association establishment
7:Access request with access token
8.1:Decrypt and/or verify the token
8.2:Check access token revocation list
8.3:Evaluate the privileges in access token
8.4:Perform the requested resource access
9:Access response
21
22
Figure 8.x.2-1: Generic process of Access Token issuance and use
23
24
1. The Originator and the Token Authority establish security association through mutual authentication to ensure the
integrity and confidentiality of communications between the two entities.
25
2. The Originator sends Access Token Request to the Token Authority.
© 2015 oneM2M Partners
Page 1 (of 2)
SEC-2015-0571-TR-0019_A_Proposal_of_Token_Issuance_General_Procedure_Part
26
3. The Token Authority CSE does the following operations:
27
1)
Check if the Originator has the privileges of accessing the target resource according to the ACP;
28
29
2)
Check if the Originator can obtain the privileges described in the Access Token Request according to the
Access Token Authorization Policies;
30
3)
Generate access token plaintext;
31
4)
Sign and/or encrypt the access token plaintext.
32
33
34
4. The Token Authority returns the issued Access Token back to the Originator.
It is also possible for the Token Authority to store the Access Token and inform the Originator where to retrieve
the Access Token.
35
36
5. The Token Authority may also issue an Access Token Revocation List in which the revoked Access Tokens that are
still not expired are placed.
37
38
6. The Originator and the Hosting CSE establish security association through mutual authentication to ensure the
integrity and confidentiality of communications between the two entities.
39
40
7. The Originator sends resource access request in which one or multiple Access Token is included to the Hosting
CSE.
41
8. The Hosting CSE extracts the Access Tokens from the resource access request, and dos the following operations:
42
1)
Decrypt and/or verify the Access Token.
43
2)
Check if this Access Token has been revoked against an Access Token Revocation List.
44
3)
Evaluate the Originator’s resource access request based on the privileges in the Access Token.
45
4)
Perform the requested resource access.
46
9. The Hosting CSE returns the execution result back to the Originator.
47
48
49
© 2015 oneM2M Partners
Page 1 (of 2)