draft-ietf-oauth-amr-values-01.txt   draft-ietf-oauth-amr-values-02.txt 
OAuth Working Group M. Jones OAuth Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track P. Hunt Intended status: Standards Track P. Hunt
Expires: January 8, 2017 Oracle Expires: March 13, 2017 Oracle
A. Nadalin A. Nadalin
Microsoft Microsoft
July 7, 2016 September 9, 2016
Authentication Method Reference Values Authentication Method Reference Values
draft-ietf-oauth-amr-values-01 draft-ietf-oauth-amr-values-02
Abstract Abstract
The "amr" (Authentication Methods References) claim is defined and The "amr" (Authentication Methods References) claim is defined and
registered in the IANA "JSON Web Token Claims" registry but no registered in the IANA "JSON Web Token Claims" registry but no
standard Authentication Method Reference values are currently standard Authentication Method Reference values are currently
defined. This specification establishes a registry for defined. This specification establishes a registry for
Authentication Method Reference values and defines an initial set of Authentication Method Reference values and defines an initial set of
Authentication Method Reference values. Authentication Method Reference values.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 8, 2017. This Internet-Draft will expire on March 13, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 17 skipping to change at page 2, line 17
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Notation and Conventions . . . . . . . . . . 3 1.1. Requirements Notation and Conventions . . . . . . . . . . 3
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Authentication Method Reference Values . . . . . . . . . . . 3 2. Authentication Method Reference Values . . . . . . . . . . . 3
3. Relationship to "acr" (Authentication Context Class 3. Relationship to "acr" (Authentication Context Class
Reference) . . . . . . . . . . . . . . . . . . . . . . . . . 5 Reference) . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 5 4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 6
5. Security Considerations . . . . . . . . . . . . . . . . . . . 6 5. Security Considerations . . . . . . . . . . . . . . . . . . . 6
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
6.1. Authentication Method Reference Values Registry . . . . . 6 6.1. Authentication Method Reference Values Registry . . . . . 6
6.1.1. Registration Template . . . . . . . . . . . . . . . . 7 6.1.1. Registration Template . . . . . . . . . . . . . . . . 7
6.1.2. Initial Registry Contents . . . . . . . . . . . . . . 7 6.1.2. Initial Registry Contents . . . . . . . . . . . . . . 7
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
7.1. Normative References . . . . . . . . . . . . . . . . . . 10 7.1. Normative References . . . . . . . . . . . . . . . . . . 10
7.2. Informative References . . . . . . . . . . . . . . . . . 11 7.2. Informative References . . . . . . . . . . . . . . . . . 11
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 11 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 11
Appendix B. Document History . . . . . . . . . . . . . . . . . . 12 Appendix B. Document History . . . . . . . . . . . . . . . . . . 12
skipping to change at page 2, line 39 skipping to change at page 2, line 39
1. Introduction 1. Introduction
The "amr" (Authentication Methods References) claim is defined and The "amr" (Authentication Methods References) claim is defined and
registered in the IANA "JSON Web Token Claims" registry registered in the IANA "JSON Web Token Claims" registry
[IANA.JWT.Claims] but no standard Authentication Method Reference [IANA.JWT.Claims] but no standard Authentication Method Reference
values are currently defined. This specification establishes a values are currently defined. This specification establishes a
registry for Authentication Method Reference values and defines an registry for Authentication Method Reference values and defines an
initial set of Authentication Method Reference values. initial set of Authentication Method Reference values.
The set of "amr" values defined by this specification is not intended For context, the "amr" (Authentication Methods References) claim is
to be an exhaustive set covering all use cases. Additional values defined by Section 2 of the OpenID Connect Core 1.0 specification
can and will be added to the registry by other specifications. [OpenID.Core] as follows:
Rather, the values defined herein are an intentionally small set that
are already actually being used in practice. amr
OPTIONAL. Authentication Methods References. JSON array of
strings that are identifiers for authentication methods used in
the authentication. For instance, values might indicate that both
password and OTP authentication methods were used. The definition
of particular values to be used in the "amr" Claim is beyond the
scope of this specification. Parties using this claim will need
to agree upon the meanings of the values used, which may be
context-specific. The "amr" value is an array of case sensitive
strings.
The "amr" values defined by this specification is not intended to be
an exhaustive set covering all use cases. Additional values can and
will be added to the registry by other specifications. Rather, the
values defined herein are an intentionally small set that are already
actually being used in practice.
For context, while the claim values registered pertain to For context, while the claim values registered pertain to
authentication, note that OAuth 2.0 [RFC6749] is designed for authentication, note that OAuth 2.0 [RFC6749] is designed for
resource authorization and cannot be used for authentication without resource authorization and cannot be used for authentication without
employing appropriate extensions, such as those defined by OpenID employing appropriate extensions, such as those defined by OpenID
Connect Core 1.0 [OpenID.Core]. The existence of the "amr" claim and Connect Core 1.0 [OpenID.Core]. The existence of the "amr" claim and
values for it should not be taken as encouragement to try to use values for it should not be taken as encouragement to try to use
OAuth 2.0 for authentication without employing extensions enabling OAuth 2.0 for authentication without employing extensions enabling
secure authentication to be performed. secure authentication to be performed.
skipping to change at page 3, line 33 skipping to change at page 3, line 48
"OPTIONAL" in this document are to be interpreted as described in RFC "OPTIONAL" in this document are to be interpreted as described in RFC
2119 [RFC2119]. 2119 [RFC2119].
1.2. Terminology 1.2. Terminology
This specification uses the terms defined by JSON Web Token (JWT) This specification uses the terms defined by JSON Web Token (JWT)
[JWT] and OpenID Connect Core 1.0 [OpenID.Core]. [JWT] and OpenID Connect Core 1.0 [OpenID.Core].
2. Authentication Method Reference Values 2. Authentication Method Reference Values
The "amr" (Authentication Methods References) claim is defined by the
OpenID Connect Core 1.0 specification [OpenID.Core] as follows:
amr
OPTIONAL. Authentication Methods References. JSON array of
strings that are identifiers for authentication methods used in
the authentication. For instance, values might indicate that both
password and OTP authentication methods were used. The definition
of particular values to be used in the "amr" Claim is beyond the
scope of this specification. Parties using this claim will need
to agree upon the meanings of the values used, which may be
context-specific. The "amr" value is an array of case sensitive
strings.
However, OpenID Connect does not specify any particular
Authentication Method Reference values to be used in the "amr" claim.
The following is a list of Authentication Method Reference values The following is a list of Authentication Method Reference values
defined by this specification: defined by this specification:
face face
Facial recognition Facial recognition
fpt fpt
Fingerprint biometric Fingerprint biometric
geo geo
skipping to change at page 4, line 26 skipping to change at page 4, line 24
Appendix C of [RFC4211] for a discussion on PoP. Appendix C of [RFC4211] for a discussion on PoP.
iris iris
Iris scan biometric Iris scan biometric
kba kba
Knowledge-based authentication [NIST.800-63-2] Knowledge-based authentication [NIST.800-63-2]
mca mca
Multiple-channel authentication. The authentication involves Multiple-channel authentication. The authentication involves
communication over more than one distinct channel. communication over more than one distinct communication channel.
For instance, a multiple-channel authentication might involve both
entering information into a workstation's browser and providing
information on a telephone call to a pre-registered number.
mfa mfa
Multiple-factor authentication [NIST.800-63-2]. When this is Multiple-factor authentication [NIST.800-63-2]. When this is
present, specific authentication methods used may also be present, specific authentication methods used may also be
included. included.
otp otp
One-time password. One-time password specifications that this One-time password. One-time password specifications that this
authentication method applies to include [RFC4226] and [RFC6238]. authentication method applies to include [RFC4226] and [RFC6238].
pin pin
Personal Identification Number or pattern (not restricted to Personal Identification Number or pattern (not restricted to
containing only numbers) that a user enters to unlock a key on the containing only numbers) that a user enters to unlock a key on the
device. This mechanism SHOULD have a way to deter an attacker device. This mechanism should have a way to deter an attacker
from obtaining the PIN by trying repeated guesses. from obtaining the PIN by trying repeated guesses.
pwd pwd
Password-based authentication Password-based authentication
rba rba
Risk-based authentication [JECM] Risk-based authentication [JECM]
retina retina
Retina scan biometric Retina scan biometric
skipping to change at page 12, line 9 skipping to change at page 12, line 9
Caleb Baker participated in specifying the original set of "amr" Caleb Baker participated in specifying the original set of "amr"
values. John Bradley, Brian Campbell, William Denniss, James Manger, values. John Bradley, Brian Campbell, William Denniss, James Manger,
Nat Sakimura, and Mike Schwartz provided reviews of the Nat Sakimura, and Mike Schwartz provided reviews of the
specification. specification.
Appendix B. Document History Appendix B. Document History
[[ to be removed by the RFC editor before publication as an RFC ]] [[ to be removed by the RFC editor before publication as an RFC ]]
-02
o Addressed working group last call comments.
-01 -01
o Distinguished between retina and iris biometrics. o Distinguished between retina and iris biometrics.
o Expanded the introduction to provide additional context to o Expanded the introduction to provide additional context to
readers. readers.
o Referenced the OpenID Connect MODRNA Authentication Profile 1.0 o Referenced the OpenID Connect MODRNA Authentication Profile 1.0
specification, which uses "amr" values defined by this specification, which uses "amr" values defined by this
specification specification.
-00 -00
o Created the initial working group draft from draft-jones-oauth- o Created the initial working group draft from draft-jones-oauth-
amr-values-05 with no normative changes. amr-values-05 with no normative changes.
Authors' Addresses Authors' Addresses
Michael B. Jones Michael B. Jones
Microsoft Microsoft
 End of changes. 11 change blocks. 
29 lines changed or deleted 35 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/