AudioCodes E-SBC User Manual page 780

CHAPTER 30 SBC Overview
X2w5mrRmLI18iRF0HqanWH3MJXJh0le3CRRN5O1F_Jx_
YxMH7Ue8864xP9CIN5X4g9eeQKuZxeppvBtf1BPjaKX6KQIbTN2IRPTj21hzUNvJO
6zWMIAiOWKQlHEBtk4upgsIBhkWs0fTLxpgFPlL0gx2pciN1yE9x_
SprisCxFhpatxYpBKejZqw12TYeyuInTWCtYaBu2tLdEIowLM7kEuwJsF5enN5a9Xgv
PfltYufoEn9bKriezYLcQoUlvDZ4Oq7bK5C4aWkTUu6eMgkqIC50fCb3oyiYzLbbMmZ
06JA
Contact: <sip:lnumvv6i@9rihbeck4vat.invalid;transport=ws>;+sip.ice;reg-
id=1;+sip.instance="<urn:uuid:1007ed30-98a3-492e-966f
67b6f6eb99c5>";expires=600
Expires: 600
Allow: INVITE,ACK,CANCEL,BYE,UPDATE,MESSAGE,OPTIONS,REFER,INFO
Supported: path,gruu,outbound
User-Agent: Example WebRTC phone
Content-Length: 0
3. The device authenticates the SIP request, by sending (HTTP POST) an HTTP Introspection
request with the user's Access Token to the OAuth Authorization server, as shown in the
following example:
POST /auth/realms/demo/protocol/openid-connect/token/introspect HTTP/1.1
Host: authorizationhost.com
Content-Type: application/x-www-form-urlencoded
Content-Length:...
Authorization: Basic
dGVzdEludHJvc3BlY3Q6NTliZDA4NGUtMTJlNi00N2I5LWJmNz
token=<Access Token from Bearer in SIP Authorization header>
4. The OAuth Authorization server checks (introspects) if the token is currently active (or if it has
expired or revoked). Upon a successful introspection, the OAuth Authorization server sends to
the device a 200 OK response containing a JSON body ("application/ json").
5. The device checks the following attributes in the received JSON body:
● "active": A "true" value indicates a valid token and the device allows the user access to its
resources and continues with the regular handling and processing of the SIP request (e.g.,
registers user or processes the call). A "false" value indicates an invalid token and the
device responds to the SIP request with a 401 (Unauthorized) response containing the
header 'WWW-Authenticate: Bearer error="invalid-token"', indicating authentication
failure.
● "username": (Optional attribute) When it exists, the device compares it to the AOR of the
SIP message. For REGISTER requests, the AOR is taken from the To header; for all other
requests, the AOR is taken from the From header. If the username includes a "@"
character, the entire AOR is compared; otherwise, only the user-part of the AOR is
compared. If comparison fails, the device responds to the SIP request with a 401
(Unauthorized) response containing the header 'WWW-Authenticate: Bearer
error="invalid_request"', indicating authentication failure.
Mediant 1000 Gateway & E-SBC | User's Manual
- 742 -