AudioCodes Mediant 800 User Manual page 804

CHAPTER 30 SBC Overview
3. The device authenticates the SIP request, by sending (HTTP POST) an HTTP Introspection
request with the user's Access Token to the OAuth Authorization server, as shown in the
following example:
POST /auth/realms/demo/protocol/openid-connect/token/introspect HTTP/1.1
Host: authorizationhost.com
Content-Type: application/x-www-form-urlencoded
Content-Length:...
Authorization: Basic
dGVzdEludHJvc3BlY3Q6NTliZDA4NGUtMTJlNi00N2I5LWJmNz
token=<Access Token from Bearer in SIP Authorization header>
4. The OAuth Authorization server checks (introspects) if the token is currently active (or if it has
expired or revoked). Upon a successful introspection, the OAuth Authorization server sends to
the device a 200 OK response containing a JSON body ("application/ json").
5. The device checks the following attributes in the received JSON body:
● "active": A "true" value indicates a valid token and the device allows the user access to its
resources and continues with the regular handling and processing of the SIP request (e.g.,
registers user or processes the call). A "false" value indicates an invalid token and the
device responds to the SIP request with a 401 (Unauthorized) response containing the
header 'WWW-Authenticate: Bearer error="invalid-token"', indicating authentication
failure.
● "username": (Optional attribute) When it exists, the device compares it to the AOR of the
SIP message. For REGISTER requests, the AOR is taken from the To header; for all other
requests, the AOR is taken from the From header. If the username includes a "@"
character, the entire AOR is compared; otherwise, only the user-part of the AOR is
compared. If comparison fails, the device responds to the SIP request with a 401
(Unauthorized) response containing the header 'WWW-Authenticate: Bearer
error="invalid_request"', indicating authentication failure.
Figure 30-1: General Stages of OAuth-based Authentication
The main configuration required for OAuth-based authentication, includes the following:
■ Configuring a Remote Web Service to represent the OAuth Authentication server
■ Configuring the source IP Group (client) to authenticate by an OAuth Authorization server
The following provides a step-by-step example of configuring OAuth authentication.
➢
To configure OAuth-based authentication:
1. Open the Remote Web Services table (see
and then configure a Remote Web Service to represent the OAuth Authentication server:
Mediant 800 Gateway & E-SBC | User's Manual
Configuring Remote Web Services
- 764 -
on page 257),