Authorization code flow the waf authenticates both

Info icon This preview shows pages 136–137. Sign up to view the full content.

View Full Document Right Arrow Icon
- Authorization Code flow: The WAF authenticates both the user and the WWSF before it issues the access token. The WAF may also request the user to explicitly authorize the WWSF. - Client Credentials flow: The WAF authenticates only the WWSF and the authorization is performed without user involvement. As part of the authorization, the WAF verifies that the WWSF has the necessary permissions to access the IMS account indicated in the request. It is assumed that the WWSF has authenticated the user prior to sending the token request. In the example of OAuth 2.0 the authorization token is an access token and IMPI and IMPU are associated with the access token. Using the terminology of OAuth 2.0, the IMS subscriber corresponds to the resource owner, the WWSF corresponds to the client, the WAF corresponds to the authorization server, and the IMS network corresponds to the resource server. The access token is associated with a specific resource owner (i.e. the IMS subscriber) and client (i.e. the WWSF) and has a certain lifetime and scope. This authorization information can either be encoded into the token itself and verified through a signature or MAC (so called self-contained token), or retrieved as part of the validation response if the validation is performed against the WAF. NOTE 4: In the present 3GPP release the token format and verification procedure is left out of scope. It is assumed that the eP-CSCF can check the validity of the token and obtain the subscriber IMPI and IMPU(s), the WWSF identity, lifetime, and scope parameters. 1. Web page download from WWSF 1.1 General : An example realisation of this step is as follows: - From within a WebRTC-enabled browser, the user accesses a URI to the WWSF to initiate an HTTPS connection to the WWSF. The TLS connection provides one-way authentication of the server based on the server certificate. The browser downloads and initializes the WIC from the WWSF. The WWSF forwards the authorization token to the WIC for inclusion in IMS registration procedure (step 3 below). Example of OAuth 2.0 : Identical to 1.1. 2. Establishment of secure connection between WIC and eP-CSCF 2.1 General : An example realisation of this step is as follows: The WIC opens a WSS (secure Web Socket) connection to the eP-CSCF. The TLS connection provides one-way authentication of the server based on the server certificate. The eP-CSCF verifies in this step that the WIC establishing the signalling connection comes from a trusted domain. NOTE 5: The eP-CSCF can verify that the WIC establishing the signalling connection comes from a trusted domain by inspecting the value of Origin header. This header is inserted by the browser in the WebSocket handshake and in every HTTP request. (This requires the use of CORS, http://www.w3.org/TR/cors/ ). The protection mechanism works under the assumption that the browser is not under the attacker's control , which means that the contents of the Origin header can be trusted .
Image of page 136

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Image of page 137
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern