1、 International Telecommunication Union ITU-T Y.2724TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (11/2013) SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS Next Generation Networks Security Framework for supporting OAuth and OpenID in next generat
2、ion networks Recommendation ITU-T Y.2724 ITU-T Y-SERIES RECOMMENDATIONS GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS GLOBAL INFORMATION INFRASTRUCTURE General Y.100Y.199 Services, applications and middleware Y.200Y.299 Network aspects Y.300Y.399 Interface
3、s and protocols Y.400Y.499 Numbering, addressing and naming Y.500Y.599 Operation, administration and maintenance Y.600Y.699 Security Y.700Y.799 Performances Y.800Y.899 INTERNET PROTOCOL ASPECTS General Y.1000Y.1099 Services and applications Y.1100Y.1199 Architecture, access, network capabilities and
4、 resource management Y.1200Y.1299 Transport Y.1300Y.1399 Interworking Y.1400Y.1499 Quality of service and network performance Y.1500Y.1599 Signalling Y.1600Y.1699 Operation, administration and maintenance Y.1700Y.1799 Charging Y.1800Y.1899 IPTV over NGN Y.1900Y.1999 NEXT GENERATION NETWORKS Framewor
5、ks and functional architecture models Y.2000Y.2099 Quality of Service and performance Y.2100Y.2199 Service aspects: Service capabilities and service architecture Y.2200Y.2249 Service aspects: Interoperability of services and networks in NGN Y.2250Y.2299 Enhancements to NGN Y.2300Y.2399 Network manag
6、ement Y.2400Y.2499 Network control architectures and protocols Y.2500Y.2599 Packet-based Networks Y.2600Y.2699 Security Y.2700Y.2799Generalized mobility Y.2800Y.2899 Carrier grade open environment Y.2900Y.2999 FUTURE NETWORKS Y.3000Y.3499 CLOUD COMPUTING Y.3500Y.3999 For further details, please refe
7、r to the list of ITU-T Recommendations. Rec. ITU-T Y.2724 (11/2013) i Recommendation ITU-T Y.2724 Framework for supporting OAuth and OpenID in next generation networks Summary Recommendation ITU-T Y.2724 describes a framework for the support and use of the IETF open authorization protocol (OAuth) an
8、d the OpenID protocol in the context of next generation networks (NGNs). Both protocols have been defined for general use on the worldwide web. The heightened security and identity management requirements of NGNs require careful restriction of the above protocols. This Recommendation explains the ap
9、plicability of these protocols to NGNs and provides high-level guidelines for their use. The companion Recommendation ITU-T Y.2723, “Support for OAuth in next generation networks“ provides a detailed set of NGN profiles. History Edition Recommendation Approval Study Group 1.0 ITU-T Y.2724 2013-11-15
10、 13 ii Rec. ITU-T Y.2724 (11/2013) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of
11、 ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topic
12、s for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepa
13、red on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may
14、 contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to ex
15、press requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Pr
16、operty Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice
17、of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2013
18、 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T Y.2724 (11/2013) iii Table of Contents Page 1 Scope 1 2 References. 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Recommen
19、dation . 2 4 Abbreviations and acronyms 2 5 Conventions 3 6 Framework for supporting OAuth and OpenID in NGN 3 6.1 Reference model . 4 6.2 OAuth and OpenID flows . 4 Appendix I Selected use cases 9 I.1 Use case: web server 9 I.2 Use case: client credentials . 10 I.3 Use case: assertion 11 Bibliograp
20、hy. 12 Rec. ITU-T Y.2724 (11/2013) 1 Recommendation ITU-T Y.2724 Framework for supporting OAuth and OpenID in next generation networks 1 Scope This Recommendation describes a framework for the support and use of OAuth and OpenID by next generation networks (NGNs). The scope of this Recommendation in
21、cludes: functional framework for NGN support of OAuth and OpenID requirements for NGN support of OAuth and OpenID OAuth and OpenID use cases (documented in Appendix I). NOTE Implementers and operators of the described technology shall comply with all applicable national and regional laws, regulation
22、s and policies. 2 References The following ITU-T Recommendations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are su
23、bject to revision; users of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a documen
24、t within this Recommendation does not give it, as a stand-alone document, the status of a Recommendation. ITU-T Y.2012 Recommendation ITU-T Y.2012 (2010), Functional requirements and architecture of next generation networks. ITU-T Y.2720 Recommendation ITU-T Y.2720 (2009), NGN identity management fr
25、amework. ITU-T Y.2722 Recommendation ITU-T Y.2722 (2011), NGN identity management mechanisms. IETF RFC 6749 IETF RFC 6749 (2012), The OAuth 2.0 Authorization Framework. 3 Definitions 3.1 Terms defined elsewhere This Recommendation uses the following terms defined elsewhere: 3.1.1 access token IETF R
26、FC 6749: Access tokens are credentials used to access protected resources. An access token is a string representing an authorization issued to the client. The string is usually opaque to the client. Tokens represent specific scopes and durations of access, granted by the resource owner, and enforced
27、 by the resource server and authorization server. 3.1.2 (entity) authentication b-ITU-T X.1252: A process used to achieve sufficient confidence in the binding between the entity and the presented identity. NOTE Use of the term authentication in an identity management (IdM) context is taken to mean e
28、ntity authentication. 3.1.3 authorization b-ITU-T X.800: The granting of rights, which includes the granting of access based on access rights 2 Rec. ITU-T Y.2724 (11/2013) 3.1.4 authorization server IETF RFC 6749: The server issuing access tokens to the client after successfully authenticating the r
29、esource owner and obtaining authorization. 3.1.5 client IETF RFC 6749: An application making protected resource requests on behalf of the resource owner and with its authorization. The term “client“ does not imply any particular implementation characteristics (e.g., whether the application executes
30、on a server, a desktop, or other devices). 3.1.6 entity b-ITU-T X.1252: Something that has a separate and distinct existence and that can be identified in context. NOTE An entity can be a physical person, an animal, a juridical person, an organization, an active or passive thing, a device, a softwar
31、e application, a service, etc., or a group of these entities. In the context of telecommunications, examples of entities include access points, subscribers, users, network elements, networks, software applications, services and devices, interfaces, etc. 3.1.7 identifier b-ITU-T X.1252: One or more a
32、ttributes used to identify an entity within a context. NOTE In the context of NGN as defined in b-ITU-T Y.2091, an identifier is a series of digits, characters and symbols or any other form of data used to identify subscriber(s), user(s), network element(s), function(s), network entity(ies) providin
33、g services/applications, or other entities (e.g., physical or logical objects). 3.1.8 identity provider (IdP) b-ITU-T X.1252: See identity service provider (IdSP) 3.1.9 identity service provider (IdSP) b-ITU-T X.1252: An entity that verifies, maintains, manages, and may create and assign identity in
34、formation of other entities. 3.1.10 refresh token IETF RFC 6749: Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires, or to obtain additional access tokens with identical or narrower sc
35、ope (access tokens may have a shorter lifetime and fewer permissions than authorized by the resource owner). Issuing a refresh token is optional at the discretion of the authorization server. If the authorization server issues a refresh token, it is included when issuing an access token. 3.1.11 reso
36、urce owner IETF RFC 6749: An entity capable of granting access to a protected resource. When the resource owner is a person, they are referred to as an end-user. 3.1.12 resource server IETF RFC 6749: The server hosting the protected resources, capable of accepting and responding to protected resourc
37、e requests using access tokens. 3.2 Terms defined in this Recommendation None. 4 Abbreviations and acronyms This Recommendation uses the following abbreviations and acronyms: AKA Authentication and Key Agreement ANI Application-to-Network Interface FE Functional Entity GBA Generic Bootstrapping Arch
38、itecture IdM Identity Management IdP Identity Provider IdSP Identity Service Provider IMPI IP Multimedia Private Identity Rec. ITU-T Y.2724 (11/2013) 3 IMSI International Mobile Subscriber Identity NGN Next Generation Network SAML Security Assertion Markup Language SNI Service Network Interface UNI
39、User Network Interface 5 Conventions In this Recommendation: The keywords “is required to“ indicate a requirement which must be strictly followed and from which no deviation is permitted, if conformance to this document is to be claimed. The keywords “is recommended“ indicate a requirement which is
40、recommended but which is not absolutely required. Thus this requirement need not be present to claim conformance. The keywords “is prohibited from“ indicate a requirement which must be strictly followed and from which no deviation is permitted if conformance to this document is to be claimed. The ke
41、ywords “can optionally“ indicate an optional requirement which is permissible, without implying any sense of being recommended. This term is not intended to imply that the vendors implementation must provide the option and the feature can be optionally enabled by the network operator/service provide
42、r. Rather, it means the vendor may optionally provide the feature and still claim conformance with the specification. In the body of this Recommendation and its annexes, the words shall, shall not, should and may sometimes appear, in which case they are to be interpreted respectively as, is required
43、 to, is prohibited from, is recommended, and can optionally. The appearance of such phrases or keywords in an appendix or in material explicitly marked as informative are to be interpreted as having no normative intent. 6 Framework for supporting OAuth and OpenID in NGN As described in ITU-T Y.2720,
44、 the NGN network consists of multiple functional elements that use identifiers of entities to perform their functions in order to support and facilitate open authentication services to other providers. Such arrangements could be supported using OpenID and OAuth as shown in Figure 1. The use of OpenI
45、D and OAuth in NGNs is depicted in Figure 1. According to the OpenID specification b-OpenID v.2, the OpenID IdP server participates in the whole authentication workflow, and the OAuth allows the relying party to send the authentication message directly to the NGN-IdP through the OAuth protocol. 4 Re
46、c. ITU-T Y.2724 (11/2013) Y.2724(13)_F01Application(Relying party)ANYNGN Provider AANYNGN Provider BService stratum Service stratumService controlfunctionsTransportstratumAccess AccessTransitUser DeviceUNI3 partyproviderrdNNIIdPOpenID workflowOAuth workflowService controlfunctionsTransportstratumUNI
47、UserDeviceOpenID-IdPIdPIdPOAuthFigure 1 The OpenID and OAuth flows for NGN 6.1 Reference model Figure 1 provides a general overview of OAuth and OpenID frameworks. Figure 2 depicts a reference model for NGN to provide OAuth authorization and OpenID authentication services. NGN providers may use Open
48、ID and OAuth to offer IdSP services and partner with content and application providers and/or other service providers. Y.2724(13)_F02OpenID IdPWeb services andapplication providersANIUNI NNISNIand NGN (IdSP)OAuthauthorization andOpenIDauthenticationservicesEndusersOtherNGS andIdSPsFigure 2 Reference
49、 model 6.2 OAuth and OpenID flows This clause provides the general description of the message flows for OAuth and OpenID in NGN. 6.2.1 Entities involved in information flows This clause identifies the entities (including the functional entities of ITU-T Y.2012) that participate in the OAuth and OpenID information flows. Rec. ITU-T Y.2724 (11/2013) 5 6.2.2 Entities that are common to the OAuth and OpenID flows The entities involved in both the OAuth and OpenID flows are as follows: