SEC-2015-0571-TR-0019_A_Proposal_of_Token_Issuance_General_Procedure_Part 1 2 3 I NPUT C ONTRIB UTION Meeting ID* SEC#18 Title:* TR-0019 A Proposal of Token Issuance General Procedure Part Source:* Wei Zhou, Datang, zhouwei@catt.cn Hui Xu, Datang, xuhui@catt.cn Uploaded Date:* 2015-07-20 Document(s) SEC WI-0019, oneM2M-TR-0019 Impacted* Intended purpose of Decision document:* Discussion Information Other <specify> Decision requested or recommendation:* Agree for inclusion in TR-0019. Template Version:23 February 2015 (Dot not modify) 4 5 oneM2M Notice 6 7 8 9 The document to which this cover statement is attached is submitted to oneM2M. Participation in, or attendance at, any activity of oneM2M, constitutes acceptance of and agreement to be bound by terms of the Working Procedures and the Partnership Agreement, including the Intellectual Property Rights (IPR) Principles Governing oneM2M Work found in Annex 1 of the Partnership Agreement. 10 11 © 2015 oneM2M Partners Page 1 (of 2) SEC-2015-0571-TR-0019_A_Proposal_of_Token_Issuance_General_Procedure_Part 12 Header 13 1 Introduction 14 15 This contribution provides a solution about access token issuance and use in oneM2M Dynamic Authorization System. 16 2 Proposal 17 8.x Proposal N: A Solution of Access Token Issuance and Use 18 8.x.1 Access Token Issuance Architecture 19 8.x.2 General Procedure of Token Issuance and Use 20 The generic procedure of token issuance and use is shown in figure 8.x.2-2 and described as follows: Originator Token Authority Hosting CSE 1:Security association establishment 2:Access token request 3.1:Check access control policies 3.2:Check access token authorization policies 3.3:Generate access token plaintext 3.4:Sign and/or encrypt the token 4:Access token response 5:Issue access token revocation list 6:Security association establishment 7:Access request with access token 8.1:Decrypt and/or verify the token 8.2:Check access token revocation list 8.3:Evaluate the privileges in access token 8.4:Perform the requested resource access 9:Access response 21 22 Figure 8.x.2-1: Generic process of Access Token issuance and use 23 24 1. The Originator and the Token Authority establish security association through mutual authentication to ensure the integrity and confidentiality of communications between the two entities. 25 2. The Originator sends Access Token Request to the Token Authority. © 2015 oneM2M Partners Page 1 (of 2) SEC-2015-0571-TR-0019_A_Proposal_of_Token_Issuance_General_Procedure_Part 26 3. The Token Authority CSE does the following operations: 27 1) Check if the Originator has the privileges of accessing the target resource according to the ACP; 28 29 2) Check if the Originator can obtain the privileges described in the Access Token Request according to the Access Token Authorization Policies; 30 3) Generate access token plaintext; 31 4) Sign and/or encrypt the access token plaintext. 32 33 34 4. The Token Authority returns the issued Access Token back to the Originator. It is also possible for the Token Authority to store the Access Token and inform the Originator where to retrieve the Access Token. 35 36 5. The Token Authority may also issue an Access Token Revocation List in which the revoked Access Tokens that are still not expired are placed. 37 38 6. The Originator and the Hosting CSE establish security association through mutual authentication to ensure the integrity and confidentiality of communications between the two entities. 39 40 7. The Originator sends resource access request in which one or multiple Access Token is included to the Hosting CSE. 41 8. The Hosting CSE extracts the Access Tokens from the resource access request, and dos the following operations: 42 1) Decrypt and/or verify the Access Token. 43 2) Check if this Access Token has been revoked against an Access Token Revocation List. 44 3) Evaluate the Originator’s resource access request based on the privileges in the Access Token. 45 4) Perform the requested resource access. 46 9. The Hosting CSE returns the execution result back to the Originator. 47 48 49 © 2015 oneM2M Partners Page 1 (of 2)