draft-ietf-oauth-amr-values-00.txt   draft-ietf-oauth-amr-values-01.txt 
OAuth Working Group M. Jones OAuth Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track P. Hunt Intended status: Standards Track P. Hunt
Expires: September 18, 2016 Oracle Expires: January 8, 2017 Oracle
A. Nadalin A. Nadalin
Microsoft Microsoft
March 17, 2016 July 7, 2016
Authentication Method Reference Values Authentication Method Reference Values
draft-ietf-oauth-amr-values-00 draft-ietf-oauth-amr-values-01
Abstract Abstract
The "amr" (Authentication Methods References) claim is defined and The "amr" (Authentication Methods References) claim is defined and
registered in the IANA "JSON Web Token Claims" registry but no registered in the IANA "JSON Web Token Claims" registry but no
standard Authentication Method Reference values are currently standard Authentication Method Reference values are currently
defined. This specification establishes a registry for defined. This specification establishes a registry for
Authentication Method Reference values and defines an initial set of Authentication Method Reference values and defines an initial set of
Authentication Method Reference values. Authentication Method Reference values.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 18, 2016. This Internet-Draft will expire on January 8, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 18 skipping to change at page 2, line 18
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Notation and Conventions . . . . . . . . . . 3 1.1. Requirements Notation and Conventions . . . . . . . . . . 3
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Authentication Method Reference Values . . . . . . . . . . . 3 2. Authentication Method Reference Values . . . . . . . . . . . 3
3. Relationship to "acr" (Authentication Context Class 3. Relationship to "acr" (Authentication Context Class
Reference) . . . . . . . . . . . . . . . . . . . . . . . . . 5 Reference) . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 5 4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 5
5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 5. Security Considerations . . . . . . . . . . . . . . . . . . . 6
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
6.1. Authentication Method Reference Values Registry . . . . . 6 6.1. Authentication Method Reference Values Registry . . . . . 6
6.1.1. Registration Template . . . . . . . . . . . . . . . . 7 6.1.1. Registration Template . . . . . . . . . . . . . . . . 7
6.1.2. Initial Registry Contents . . . . . . . . . . . . . . 7 6.1.2. Initial Registry Contents . . . . . . . . . . . . . . 7
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
7.1. Normative References . . . . . . . . . . . . . . . . . . 9 7.1. Normative References . . . . . . . . . . . . . . . . . . 10
7.2. Informative References . . . . . . . . . . . . . . . . . 11 7.2. Informative References . . . . . . . . . . . . . . . . . 11
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 11 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 11
Appendix B. Document History . . . . . . . . . . . . . . . . . . 11 Appendix B. Document History . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction 1. Introduction
The "amr" (Authentication Methods References) claim is defined and The "amr" (Authentication Methods References) claim is defined and
registered in the IANA "JSON Web Token Claims" registry registered in the IANA "JSON Web Token Claims" registry
[IANA.JWT.Claims] but no standard Authentication Method Reference [IANA.JWT.Claims] but no standard Authentication Method Reference
values are currently defined. This specification establishes a values are currently defined. This specification establishes a
registry for Authentication Method Reference values and defines an registry for Authentication Method Reference values and defines an
initial set of Authentication Method Reference values. initial set of Authentication Method Reference values.
skipping to change at page 3, line 7 skipping to change at page 3, line 7
For context, while the claim values registered pertain to For context, while the claim values registered pertain to
authentication, note that OAuth 2.0 [RFC6749] is designed for authentication, note that OAuth 2.0 [RFC6749] is designed for
resource authorization and cannot be used for authentication without resource authorization and cannot be used for authentication without
employing appropriate extensions, such as those defined by OpenID employing appropriate extensions, such as those defined by OpenID
Connect Core 1.0 [OpenID.Core]. The existence of the "amr" claim and Connect Core 1.0 [OpenID.Core]. The existence of the "amr" claim and
values for it should not be taken as encouragement to try to use values for it should not be taken as encouragement to try to use
OAuth 2.0 for authentication without employing extensions enabling OAuth 2.0 for authentication without employing extensions enabling
secure authentication to be performed. secure authentication to be performed.
When used with OpenID Connect, if the identity provider supplies an
"amr" claim in the ID Token resulting from a successful
authentication, the relying party can inspect the values returned and
thereby learn details about how the authentication was performed.
For instance, the relying party might learn that only a password was
used or it might learn that iris recognition was used in combination
with a hardware-secured key. Whether "amr" values are provided and
which values are understood by what parties are both beyond the scope
of this specification. The OpenID Connect MODRNA Authentication
Profile 1.0 [OpenID.MODRNA] is one example of an application context
that uses "amr" values defined by this specification.
1.1. Requirements Notation and Conventions 1.1. Requirements Notation and Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in RFC "OPTIONAL" in this document are to be interpreted as described in RFC
2119 [RFC2119]. 2119 [RFC2119].
1.2. Terminology 1.2. Terminology
This specification uses the terms defined by JSON Web Token (JWT) This specification uses the terms defined by JSON Web Token (JWT)
skipping to change at page 3, line 40 skipping to change at page 4, line 5
scope of this specification. Parties using this claim will need scope of this specification. Parties using this claim will need
to agree upon the meanings of the values used, which may be to agree upon the meanings of the values used, which may be
context-specific. The "amr" value is an array of case sensitive context-specific. The "amr" value is an array of case sensitive
strings. strings.
However, OpenID Connect does not specify any particular However, OpenID Connect does not specify any particular
Authentication Method Reference values to be used in the "amr" claim. Authentication Method Reference values to be used in the "amr" claim.
The following is a list of Authentication Method Reference values The following is a list of Authentication Method Reference values
defined by this specification: defined by this specification:
eye
Retina scan biometric
face face
Facial recognition Facial recognition
fpt fpt
Fingerprint biometric Fingerprint biometric
geo geo
Use of geolocation information Use of geolocation information
hwk hwk
Proof-of-possession (PoP) of a hardware-secured key. See Proof-of-possession (PoP) of a hardware-secured key. See
Appendix C of [RFC4211] for a discussion on PoP. Appendix C of [RFC4211] for a discussion on PoP.
iris
Iris scan biometric
kba kba
Knowledge-based authentication [NIST.800-63-2] Knowledge-based authentication [NIST.800-63-2]
mca mca
Multiple-channel authentication. The authentication involves Multiple-channel authentication. The authentication involves
communication over more than one distinct channel. communication over more than one distinct channel.
mfa mfa
Multiple-factor authentication [NIST.800-63-2]. When this is Multiple-factor authentication [NIST.800-63-2]. When this is
present, specific authentication methods used may also be present, specific authentication methods used may also be
skipping to change at page 4, line 37 skipping to change at page 4, line 49
containing only numbers) that a user enters to unlock a key on the containing only numbers) that a user enters to unlock a key on the
device. This mechanism SHOULD have a way to deter an attacker device. This mechanism SHOULD have a way to deter an attacker
from obtaining the PIN by trying repeated guesses. from obtaining the PIN by trying repeated guesses.
pwd pwd
Password-based authentication Password-based authentication
rba rba
Risk-based authentication [JECM] Risk-based authentication [JECM]
retina
Retina scan biometric
sc sc
Smart card Smart card
sms sms
Confirmation using SMS message to the user at a registered number Confirmation using SMS message to the user at a registered number
swk swk
Proof-of-possession (PoP) of a software-secured key. See Proof-of-possession (PoP) of a software-secured key. See
Appendix C of [RFC4211] for a discussion on PoP. Appendix C of [RFC4211] for a discussion on PoP.
skipping to change at page 7, line 33 skipping to change at page 7, line 44
email address, home page URI) may also be included. email address, home page URI) may also be included.
Specification Document(s): Specification Document(s):
Reference to the document or documents that specify the parameter, Reference to the document or documents that specify the parameter,
preferably including URIs that can be used to retrieve copies of preferably including URIs that can be used to retrieve copies of
the documents. An indication of the relevant sections may also be the documents. An indication of the relevant sections may also be
included but is not required. included but is not required.
6.1.2. Initial Registry Contents 6.1.2. Initial Registry Contents
o Authentication Method Reference Name: "eye"
o Authentication Method Reference Description: Retina scan biometric
o Change Controller: IESG
o Specification Document(s): Section 2 of [[ this specification ]]
o Authentication Method Reference Name: "face" o Authentication Method Reference Name: "face"
o Authentication Method Reference Description: Facial recognition o Authentication Method Reference Description: Facial recognition
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 2 of [[ this specification ]] o Specification Document(s): Section 2 of [[ this specification ]]
o Authentication Method Reference Name: "fpt" o Authentication Method Reference Name: "fpt"
o Authentication Method Reference Description: Fingerprint biometric o Authentication Method Reference Description: Fingerprint biometric
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 2 of [[ this specification ]] o Specification Document(s): Section 2 of [[ this specification ]]
skipping to change at page 8, line 4 skipping to change at page 8, line 10
o Authentication Method Reference Name: "fpt" o Authentication Method Reference Name: "fpt"
o Authentication Method Reference Description: Fingerprint biometric o Authentication Method Reference Description: Fingerprint biometric
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 2 of [[ this specification ]] o Specification Document(s): Section 2 of [[ this specification ]]
o Authentication Method Reference Name: "geo" o Authentication Method Reference Name: "geo"
o Authentication Method Reference Description: Geolocation o Authentication Method Reference Description: Geolocation
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 2 of [[ this specification ]] o Specification Document(s): Section 2 of [[ this specification ]]
o Authentication Method Reference Name: "hwk" o Authentication Method Reference Name: "hwk"
o Authentication Method Reference Description: Proof-of-possession o Authentication Method Reference Description: Proof-of-possession
of a hardware-secured key of a hardware-secured key
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 2 of [[ this specification ]] o Specification Document(s): Section 2 of [[ this specification ]]
o Authentication Method Reference Name: "iris"
o Authentication Method Reference Description: Iris scan biometric
o Change Controller: IESG
o Specification Document(s): Section 2 of [[ this specification ]]
o Authentication Method Reference Name: "kba" o Authentication Method Reference Name: "kba"
o Authentication Method Reference Description: Knowledge-based o Authentication Method Reference Description: Knowledge-based
authentication authentication
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 2 of [[ this specification ]] o Specification Document(s): Section 2 of [[ this specification ]]
o Authentication Method Reference Name: "mca" o Authentication Method Reference Name: "mca"
o Authentication Method Reference Description: Multiple-channel o Authentication Method Reference Description: Multiple-channel
authentication authentication
o Change Controller: IESG o Change Controller: IESG
skipping to change at page 8, line 51 skipping to change at page 9, line 15
authentication authentication
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 2 of [[ this specification ]] o Specification Document(s): Section 2 of [[ this specification ]]
o Authentication Method Reference Name: "rba" o Authentication Method Reference Name: "rba"
o Authentication Method Reference Description: Risk-based o Authentication Method Reference Description: Risk-based
authentication authentication
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 2 of [[ this specification ]] o Specification Document(s): Section 2 of [[ this specification ]]
o Authentication Method Reference Name: "retina"
o Authentication Method Reference Description: Retina scan biometric
o Change Controller: IESG
o Specification Document(s): Section 2 of [[ this specification ]]
o Authentication Method Reference Name: "sc" o Authentication Method Reference Name: "sc"
o Authentication Method Reference Description: Smart card o Authentication Method Reference Description: Smart card
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 2 of [[ this specification ]] o Specification Document(s): Section 2 of [[ this specification ]]
o Authentication Method Reference Name: "sms" o Authentication Method Reference Name: "sms"
o Authentication Method Reference Description: Confirmation using o Authentication Method Reference Description: Confirmation using
SMS SMS
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 2 of [[ this specification ]] o Specification Document(s): Section 2 of [[ this specification ]]
skipping to change at page 10, line 30 skipping to change at page 10, line 43
[NIST.800-63-2] [NIST.800-63-2]
National Institute of Standards and Technology (NIST), National Institute of Standards and Technology (NIST),
"Electronic Authentication Guideline", NIST Special "Electronic Authentication Guideline", NIST Special
Publication 800-63-2, August 2013, Publication 800-63-2, August 2013,
<http://nvlpubs.nist.gov/nistpubs/SpecialPublications/ <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/
NIST.SP.800-63-2.pdf>. NIST.SP.800-63-2.pdf>.
[OpenID.Core] [OpenID.Core]
Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and
C. Mortimore, "OpenID Connect Core 1.0", November 2014. C. Mortimore, "OpenID Connect Core 1.0", November 2014,
<http://openid.net/specs/openid-connect-core-1_0.html>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure [RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure
Certificate Request Message Format (CRMF)", RFC 4211, Certificate Request Message Format (CRMF)", RFC 4211,
DOI 10.17487/RFC4211, September 2005, DOI 10.17487/RFC4211, September 2005,
<http://www.rfc-editor.org/info/rfc4211>. <http://www.rfc-editor.org/info/rfc4211>.
skipping to change at page 11, line 16 skipping to change at page 11, line 31
Time-Based One-Time Password Algorithm", RFC 6238, Time-Based One-Time Password Algorithm", RFC 6238,
DOI 10.17487/RFC6238, May 2011, DOI 10.17487/RFC6238, May 2011,
<http://www.rfc-editor.org/info/rfc6238>. <http://www.rfc-editor.org/info/rfc6238>.
[RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
RFC 6749, DOI 10.17487/RFC6749, October 2012, RFC 6749, DOI 10.17487/RFC6749, October 2012,
<http://www.rfc-editor.org/info/rfc6749>. <http://www.rfc-editor.org/info/rfc6749>.
7.2. Informative References 7.2. Informative References
[OpenID.MODRNA]
Connotte, J. and J. Bradley, "OpenID Connect MODRNA
Authentication Profile 1.0", February 2016,
<https://bitbucket.org/openid/mobile/raw/default/draft-
mobile-authentication-01.txt>.
[RFC6819] Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0 [RFC6819] Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0
Threat Model and Security Considerations", RFC 6819, Threat Model and Security Considerations", RFC 6819,
DOI 10.17487/RFC6819, January 2013, DOI 10.17487/RFC6819, January 2013,
<http://www.rfc-editor.org/info/rfc6819>. <http://www.rfc-editor.org/info/rfc6819>.
Appendix A. Acknowledgements Appendix A. Acknowledgements
Caleb Baker participated in specifying the original set of "amr" Caleb Baker participated in specifying the original set of "amr"
values. John Bradley, Brian Campbell, William Denniss, James Manger, values. John Bradley, Brian Campbell, William Denniss, James Manger,
and Nat Sakimura provided reviews of the specification. Nat Sakimura, and Mike Schwartz provided reviews of the
specification.
Appendix B. Document History Appendix B. Document History
[[ to be removed by the RFC editor before publication as an RFC ]] [[ to be removed by the RFC editor before publication as an RFC ]]
-01
o Distinguished between retina and iris biometrics.
o Expanded the introduction to provide additional context to
readers.
o Referenced the OpenID Connect MODRNA Authentication Profile 1.0
specification, which uses "amr" values defined by this
specification
-00 -00
o Created the initial working group draft from draft-jones-oauth- o Created the initial working group draft from draft-jones-oauth-
amr-values-05 with no normative changes. amr-values-05 with no normative changes.
Authors' Addresses Authors' Addresses
Michael B. Jones Michael B. Jones
Microsoft Microsoft
 End of changes. 19 change blocks. 
19 lines changed or deleted 57 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/