draft-ietf-oauth-amr-values-05.txt   draft-ietf-oauth-amr-values-06.txt 
OAuth Working Group M. Jones OAuth Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track P. Hunt Intended status: Standards Track P. Hunt
Expires: July 28, 2017 Oracle Expires: September 1, 2017 Oracle
A. Nadalin A. Nadalin
Microsoft Microsoft
January 24, 2017 February 28, 2017
Authentication Method Reference Values Authentication Method Reference Values
draft-ietf-oauth-amr-values-05 draft-ietf-oauth-amr-values-06
Abstract Abstract
The "amr" (Authentication Methods References) claim is defined and The "amr" (Authentication Methods References) claim is defined and
registered in the IANA "JSON Web Token Claims" registry but no registered in the IANA "JSON Web Token Claims" registry but no
standard Authentication Method Reference values are currently standard Authentication Method Reference values are currently
defined. This specification establishes a registry for defined. This specification establishes a registry for
Authentication Method Reference values and defines an initial set of Authentication Method Reference values and defines an initial set of
Authentication Method Reference values. Authentication Method Reference values.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 28, 2017. This Internet-Draft will expire on September 1, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 26 skipping to change at page 2, line 26
Reference) . . . . . . . . . . . . . . . . . . . . . . . . . 5 Reference) . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 6 4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 6
5. Security Considerations . . . . . . . . . . . . . . . . . . . 6 5. Security Considerations . . . . . . . . . . . . . . . . . . . 6
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
6.1. Authentication Method Reference Values Registry . . . . . 6 6.1. Authentication Method Reference Values Registry . . . . . 6
6.1.1. Registration Template . . . . . . . . . . . . . . . . 7 6.1.1. Registration Template . . . . . . . . . . . . . . . . 7
6.1.2. Initial Registry Contents . . . . . . . . . . . . . . 8 6.1.2. Initial Registry Contents . . . . . . . . . . . . . . 8
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
7.1. Normative References . . . . . . . . . . . . . . . . . . 10 7.1. Normative References . . . . . . . . . . . . . . . . . . 10
7.2. Informative References . . . . . . . . . . . . . . . . . 11 7.2. Informative References . . . . . . . . . . . . . . . . . 11
Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 12 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 13
Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 12 Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 13
Appendix C. Document History . . . . . . . . . . . . . . . . . . 13 Appendix C. Document History . . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14
1. Introduction 1. Introduction
The "amr" (Authentication Methods References) claim is defined and The "amr" (Authentication Methods References) claim is defined and
registered in the IANA "JSON Web Token Claims" registry registered in the IANA "JSON Web Token Claims" registry
[IANA.JWT.Claims] but no standard Authentication Method Reference [IANA.JWT.Claims] but no standard Authentication Method Reference
values are currently defined. This specification establishes a values are currently defined. This specification establishes a
registry for Authentication Method Reference values and defines an registry for Authentication Method Reference values and defines an
initial set of Authentication Method Reference values. initial set of Authentication Method Reference values.
skipping to change at page 4, line 4 skipping to change at page 4, line 4
This specification uses the terms defined by JSON Web Token (JWT) This specification uses the terms defined by JSON Web Token (JWT)
[JWT] and OpenID Connect Core 1.0 [OpenID.Core]. [JWT] and OpenID Connect Core 1.0 [OpenID.Core].
2. Authentication Method Reference Values 2. Authentication Method Reference Values
The following is a list of Authentication Method Reference values The following is a list of Authentication Method Reference values
defined by this specification: defined by this specification:
face face
Facial recognition Biometric authentication [RFC4949] using facial recognition
fpt fpt
Fingerprint biometric Biometric authentication [RFC4949] using a fingerprint
geo geo
Use of geolocation information Use of geolocation information for authentication, such as that
provided by [W3C.REC-geolocation-API-20161108]
hwk hwk
Proof-of-possession (PoP) of a hardware-secured key. See Proof-of-possession (PoP) of a hardware-secured key. See
Appendix C of [RFC4211] for a discussion on PoP. Appendix C of [RFC4211] for a discussion on PoP.
iris iris
Iris scan biometric Biometric authentication [RFC4949] using an iris scan
kba kba
Knowledge-based authentication [NIST.800-63-2] [ISO29115] Knowledge-based authentication [NIST.800-63-2] [ISO29115]
mca mca
Multiple-channel authentication. The authentication involves Multiple-channel authentication [MCA]. The authentication
communication over more than one distinct communication channel. involves communication over more than one distinct communication
For instance, a multiple-channel authentication might involve both channel. For instance, a multiple-channel authentication might
entering information into a workstation's browser and providing involve both entering information into a workstation's browser and
information on a telephone call to a pre-registered number. providing information on a telephone call to a pre-registered
number.
mfa mfa
Multiple-factor authentication [NIST.800-63-2] [ISO29115]. When Multiple-factor authentication [NIST.800-63-2] [ISO29115]. When
this is present, specific authentication methods used may also be this is present, specific authentication methods used may also be
included. included.
otp otp
One-time password. One-time password specifications that this One-time password [RFC4949]. One-time password specifications
authentication method applies to include [RFC4226] and [RFC6238]. that this authentication method applies to include [RFC4226] and
[RFC6238].
pin pin
Personal Identification Number or pattern (not restricted to Personal Identification Number (PIN) [RFC4949] or pattern (not
containing only numbers) that a user enters to unlock a key on the restricted to containing only numbers) that a user enters to
device. This mechanism should have a way to deter an attacker unlock a key on the device. This mechanism should have a way to
from obtaining the PIN by trying repeated guesses. deter an attacker from obtaining the PIN by trying repeated
guesses.
pwd pwd
Password-based authentication Password-based authentication [RFC4949]
rba rba
Risk-based authentication [JECM] Risk-based authentication [JECM]
retina retina
Retina scan biometric Biometric authentication [RFC4949] using a retina scan
sc sc
Smart card Smart card [RFC4949]
sms sms
Confirmation using SMS message to the user at a registered number Confirmation using SMS [SMS] text message to the user at a
registered number
swk swk
Proof-of-possession (PoP) of a software-secured key. See Proof-of-possession (PoP) of a software-secured key. See
Appendix C of [RFC4211] for a discussion on PoP. Appendix C of [RFC4211] for a discussion on PoP.
tel tel
Confirmation by telephone call to the user at a registered number Confirmation by telephone call to the user at a registered number.
This authentication technique is sometimes also referred to as
"call back" [RFC4949].
user user
User presence test User presence test. Evidence that the end-user is present and
interacting with the device. This is sometimes also referred to
as "test of user presence" [W3C.WD-webauthn-20170216].
vbm vbm
Voice biometric Biometric authentication [RFC4949] using a voiceprint
wia wia
Windows integrated authentication, as described in [MSDN] Windows integrated authentication [MSDN]
3. Relationship to "acr" (Authentication Context Class Reference) 3. Relationship to "acr" (Authentication Context Class Reference)
The "acr" (Authentication Context Class Reference) claim and The "acr" (Authentication Context Class Reference) claim and
"acr_values" request parameter are related to the "amr" "acr_values" request parameter are related to the "amr"
(Authentication Methods References) claim, but with important (Authentication Methods References) claim, but with important
differences. An Authentication Context Class specifies a set of differences. An Authentication Context Class specifies a set of
business rules that authentications are being requested to satisfy. business rules that authentications are being requested to satisfy.
These rules can often be satisfied by using a number of different These rules can often be satisfied by using a number of different
specific authentication methods, either singly or in combination. specific authentication methods, either singly or in combination.
skipping to change at page 6, line 41 skipping to change at page 6, line 48
6.1. Authentication Method Reference Values Registry 6.1. Authentication Method Reference Values Registry
This specification establishes the IANA "Authentication Method This specification establishes the IANA "Authentication Method
Reference Values" registry for "amr" claim array element values. The Reference Values" registry for "amr" claim array element values. The
registry records the Authentication Method Reference value and a registry records the Authentication Method Reference value and a
reference to the specification that defines it. This specification reference to the specification that defines it. This specification
registers the Authentication Method Reference values defined in registers the Authentication Method Reference values defined in
Section 2. Section 2.
To facilitate interoperability, the Designated Experts must either:
a. require that Authentication Method Reference values being
registered use only printable ASCII characters excluding double
quote ('"') and backslash ('\') (the Unicode characters with code
points U+0021, U+0023 through U+005B, and U+005D through U+007E),
or
b. if new Authentication Method Reference values are defined that
use other code points, require that their definitions specify the
exact Unicode code point sequences used to represent them.
Furthermore, proposed registrations that use Unicode code points
that can only be represented in JSON strings as escaped
characters must not be accepted.
Values are registered on an Expert Review [RFC5226] basis after a Values are registered on an Expert Review [RFC5226] basis after a
three-week review period on the jwt-reg-review@ietf.org mailing list, three-week review period on the jwt-reg-review@ietf.org mailing list,
on the advice of one or more Designated Experts. To increase on the advice of one or more Designated Experts. To increase
potential interoperability, the experts are requested to encourage potential interoperability, the experts are requested to encourage
registrants to provide the location of a publicly-accessible registrants to provide the location of a publicly-accessible
specification defining the values being registered, so that their specification defining the values being registered, so that their
intended usage can be more easily understood. intended usage can be more easily understood.
Registration requests sent to the mailing list for review should use Registration requests sent to the mailing list for review should use
an appropriate subject (e.g., "Request to register Authentication an appropriate subject (e.g., "Request to register Authentication
Method Reference value: otp"). Method Reference value: otp").
Within the review period, the Designated Experts will either approve Within the review period, the Designated Experts will either approve
or deny the registration request, communicating this decision to the or deny the registration request, communicating this decision to the
review list and IANA. Denials should include an explanation and, if review list and IANA. Denials should include an explanation and, if
applicable, suggestions as to how to make the request successful. applicable, suggestions as to how to make the request successful.
Registration requests that are undetermined for a period longer than Registration requests that are undetermined for a period longer than
21 days can be brought to the IESG's attention (using the 21 days can be brought to the IESG's attention (using the
iesg@ietf.org mailing list) for resolution. iesg@ietf.org mailing list) for resolution.
Criteria that should be applied by the Designated Experts includes
determining whether the proposed registration duplicates existing
functionality, whether it is likely to be of general applicability or
whether it is useful only for a single application, whether the value
is actually being used, and whether the registration description is
clear.
IANA must only accept registry updates from the Designated Experts IANA must only accept registry updates from the Designated Experts
and should direct all requests for registration to the review mailing and should direct all requests for registration to the review mailing
list. list.
It is suggested that the same Designated Experts evaluate these It is suggested that the same Designated Experts evaluate these
registration requests as those who evaluate registration requests for registration requests as those who evaluate registration requests for
the IANA "JSON Web Token Claims" registry [IANA.JWT.Claims]. the IANA "JSON Web Token Claims" registry [IANA.JWT.Claims].
Criteria that should be applied by the Designated Experts includes
determining whether the proposed registration duplicates existing
functionality, whether it is likely to be of general applicability or
whether it is useful only for a single application, whether the value
is actually being used, and whether the registration description is
clear.
6.1.1. Registration Template 6.1.1. Registration Template
Authentication Method Reference Name: Authentication Method Reference Name:
The name requested (e.g., "otp"). Because a core goal of this The name requested (e.g., "otp"). Because a core goal of this
specification is for the resulting representations to be compact, specification is for the resulting representations to be compact,
it is RECOMMENDED that the name be short -- that is, not to exceed it is RECOMMENDED that the name be short -- that is, not to exceed
8 characters without a compelling reason to do so. This name is 8 characters without a compelling reason to do so. To facilitate
case sensitive. Names may not match other registered names in a interoperability, the name must use only printable ASCII
case-insensitive manner unless the Designated Experts state that characters excluding double quote ('"') and backslash ('\') (the
there is a compelling reason to allow an exception. Unicode characters with code points U+0021, U+0023 through U+005B,
and U+005D through U+007E). This name is case sensitive. Names
may not match other registered names in a case-insensitive manner
unless the Designated Experts state that there is a compelling
reason to allow an exception.
Authentication Method Reference Description: Authentication Method Reference Description:
Brief description of the Authentication Method Reference (e.g., Brief description of the Authentication Method Reference (e.g.,
"One-time password"). "One-time password").
Change Controller: Change Controller:
For Standards Track RFCs, state "IESG". For others, give the name For Standards Track RFCs, state "IESG". For others, give the name
of the responsible party. Other details (e.g., postal address, of the responsible party. Other details (e.g., postal address,
email address, home page URI) may also be included. email address, home page URI) may also be included.
skipping to change at page 11, line 35 skipping to change at page 11, line 35
IEC 29115:2013, April 2013, IEC 29115:2013, April 2013,
<http://www.iso.org/iso/iso_catalogue/catalogue_tc/ <http://www.iso.org/iso/iso_catalogue/catalogue_tc/
catalogue_detail.htm?csnumber=45138>. catalogue_detail.htm?csnumber=45138>.
[JECM] Williamson, G., "Enhanced Authentication In Online [JECM] Williamson, G., "Enhanced Authentication In Online
Banking", Journal of Economic Crime Management 4.2: 18-19, Banking", Journal of Economic Crime Management 4.2: 18-19,
2006, 2006,
<http://utica.edu/academic/institutes/ecii/publications/ <http://utica.edu/academic/institutes/ecii/publications/
articles/51D6D996-90F2-F468-AC09C4E8071575AE.pdf>. articles/51D6D996-90F2-F468-AC09C4E8071575AE.pdf>.
[MCA] ldapwiki.com, "Multiple-channel Authentication", August
2016, <https://www.ldapwiki.com/wiki/Multiple-
channel%20Authentication>.
[MSDN] Microsoft, "Integrated Windows Authentication with [MSDN] Microsoft, "Integrated Windows Authentication with
Negotiate", September 2011, Negotiate", September 2011,
<http://blogs.msdn.com/b/benjaminperkins/ <http://blogs.msdn.com/b/benjaminperkins/
archive/2011/09/14/iis-integrated-windows-authentication- archive/2011/09/14/iis-integrated-windows-authentication-
with-negotiate.aspx>. with-negotiate.aspx>.
[NIST.800-63-2] [NIST.800-63-2]
National Institute of Standards and Technology (NIST), National Institute of Standards and Technology (NIST),
"Electronic Authentication Guideline", NIST Special "Electronic Authentication Guideline", NIST Special
Publication 800-63-2, August 2013, Publication 800-63-2, August 2013,
skipping to change at page 12, line 15 skipping to change at page 12, line 21
[RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure [RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure
Certificate Request Message Format (CRMF)", RFC 4211, Certificate Request Message Format (CRMF)", RFC 4211,
DOI 10.17487/RFC4211, September 2005, DOI 10.17487/RFC4211, September 2005,
<http://www.rfc-editor.org/info/rfc4211>. <http://www.rfc-editor.org/info/rfc4211>.
[RFC4226] M'Raihi, D., Bellare, M., Hoornaert, F., Naccache, D., and [RFC4226] M'Raihi, D., Bellare, M., Hoornaert, F., Naccache, D., and
O. Ranen, "HOTP: An HMAC-Based One-Time Password O. Ranen, "HOTP: An HMAC-Based One-Time Password
Algorithm", RFC 4226, DOI 10.17487/RFC4226, December 2005, Algorithm", RFC 4226, DOI 10.17487/RFC4226, December 2005,
<http://www.rfc-editor.org/info/rfc4226>. <http://www.rfc-editor.org/info/rfc4226>.
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
<http://www.rfc-editor.org/info/rfc4949>.
[RFC6238] M'Raihi, D., Machani, S., Pei, M., and J. Rydell, "TOTP: [RFC6238] M'Raihi, D., Machani, S., Pei, M., and J. Rydell, "TOTP:
Time-Based One-Time Password Algorithm", RFC 6238, Time-Based One-Time Password Algorithm", RFC 6238,
DOI 10.17487/RFC6238, May 2011, DOI 10.17487/RFC6238, May 2011,
<http://www.rfc-editor.org/info/rfc6238>. <http://www.rfc-editor.org/info/rfc6238>.
[RFC6819] Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0 [RFC6819] Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0
Threat Model and Security Considerations", RFC 6819, Threat Model and Security Considerations", RFC 6819,
DOI 10.17487/RFC6819, January 2013, DOI 10.17487/RFC6819, January 2013,
<http://www.rfc-editor.org/info/rfc6819>. <http://www.rfc-editor.org/info/rfc6819>.
[SMS] 3rd Generation Partnership Project, "Technical realization
of the Short Message Service (SMS)", 3GPP Technical
Specification (TS) 03.40 V7.5.0 (2001-12), January 2002,
<https://portal.3gpp.org/desktopmodules/Specifications/
SpecificationDetails.aspx?specificationId=141>.
[W3C.REC-geolocation-API-20161108]
Popescu, A., "Geolocation API Specification 2nd Edition",
World Wide Web Consortium Recommendation REC-geolocation-
API-20161108, November 2016, <https://www.w3.org/TR/2016/
REC-geolocation-API-20161108>.
[W3C.WD-webauthn-20170216]
Bharadwaj, V., Le Van Gong, H., Balfanz, D., Czeskis, A.,
Birgisson, A., Hodges, J., Jones, M., Lindemann, R., and
J. Jones, "Web Authentication: An API for accessing Scoped
Credentials", World Wide Web Consortium Working Draft WD-
webauthn-20170216, February 2017,
<http://www.w3.org/TR/2017/WD-webauthn-20170216/>.
Appendix A. Examples Appendix A. Examples
In some cases, the "amr" claim value returned may contain a single In some cases, the "amr" claim value returned may contain a single
Authentication Method Reference value. For example, the following Authentication Method Reference value. For example, the following
"amr" claim value indicates that the authentication performed used an "amr" claim value indicates that the authentication performed used an
iris scan biometric: iris scan biometric:
"amr": ["iris"] "amr": ["iris"]
In other cases, the "amr" claim value returned may contain multiple In other cases, the "amr" claim value returned may contain multiple
Authentication Method Reference values. For example, the following Authentication Method Reference values. For example, the following
"amr" claim value indicates that the authentication performed used a "amr" claim value indicates that the authentication performed used a
password and knowledge-based authentication: password and knowledge-based authentication:
"amr": ["pwd", "kba"] "amr": ["pwd", "kba"]
Appendix B. Acknowledgements Appendix B. Acknowledgements
Caleb Baker participated in specifying the original set of "amr" Caleb Baker participated in specifying the original set of "amr"
values. John Bradley, Brian Campbell, William Denniss, Linda Dunbar, values. Jari Arkko, John Bradley, Ben Campbell, Brian Campbell,
Paul Kyzivat, Elaine Newton, James Manger, Catherine Meadows, William Denniss, Linda Dunbar, Stephen Farrell, Paul Kyzivat, Elaine
Kathleen Moriarty, Nat Sakimura, and Mike Schwartz provided reviews Newton, James Manger, Catherine Meadows, Alexey Melnikov, Kathleen
of the specification. Moriarty, Nat Sakimura, and Mike Schwartz provided reviews of the
specification.
Appendix C. Document History Appendix C. Document History
[[ to be removed by the RFC editor before publication as an RFC ]] [[ to be removed by the RFC editor before publication as an RFC ]]
-05 -05
o Addressed IESG comments. Identifiers are now restricted to using
only printable JSON-friendly ASCII characters. Additional
references to documentation relevant to specific AMR values were
added.
-05
o Specified characters allowed in "amr" values, reusing the IANA o Specified characters allowed in "amr" values, reusing the IANA
Considerations language on this topic from RFC 7638. Considerations language on this topic from RFC 7638.
-04 -04
o Added examples with single and multiple values. o Added examples with single and multiple values.
o Clarified that the actual credentials referenced are not part of o Clarified that the actual credentials referenced are not part of
this specification to avoid additional privacy concerns for this specification to avoid additional privacy concerns for
biometric data. biometric data.
o Clarified that the OAuth 2.0 Threat Model [RFC6819] applies to o Clarified that the OAuth 2.0 Threat Model [RFC6819] applies to
 End of changes. 30 change blocks. 
60 lines changed or deleted 94 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/