draft-ietf-oauth-amr-values-06.txt   draft-ietf-oauth-amr-values-07.txt 
OAuth Working Group M. Jones OAuth Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track P. Hunt Intended status: Standards Track P. Hunt
Expires: September 1, 2017 Oracle Expires: September 9, 2017 Oracle
A. Nadalin A. Nadalin
Microsoft Microsoft
February 28, 2017 March 8, 2017
Authentication Method Reference Values Authentication Method Reference Values
draft-ietf-oauth-amr-values-06 draft-ietf-oauth-amr-values-07
Abstract Abstract
The "amr" (Authentication Methods References) claim is defined and The "amr" (Authentication Methods References) claim is defined and
registered in the IANA "JSON Web Token Claims" registry but no registered in the IANA "JSON Web Token Claims" registry but no
standard Authentication Method Reference values are currently standard Authentication Method Reference values are currently
defined. This specification establishes a registry for defined. This specification establishes a registry for
Authentication Method Reference values and defines an initial set of Authentication Method Reference values and defines an initial set of
Authentication Method Reference values. Authentication Method Reference values.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 1, 2017. This Internet-Draft will expire on September 9, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Notation and Conventions . . . . . . . . . . 3 1.1. Requirements Notation and Conventions . . . . . . . . . . 4
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
2. Authentication Method Reference Values . . . . . . . . . . . 3 2. Authentication Method Reference Values . . . . . . . . . . . 4
3. Relationship to "acr" (Authentication Context Class 3. Relationship to "acr" (Authentication Context Class
Reference) . . . . . . . . . . . . . . . . . . . . . . . . . 5 Reference) . . . . . . . . . . . . . . . . . . . . . . . . . 6
4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 6 4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 6
5. Security Considerations . . . . . . . . . . . . . . . . . . . 6 5. Security Considerations . . . . . . . . . . . . . . . . . . . 7
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
6.1. Authentication Method Reference Values Registry . . . . . 6 6.1. Authentication Method Reference Values Registry . . . . . 7
6.1.1. Registration Template . . . . . . . . . . . . . . . . 7 6.1.1. Registration Template . . . . . . . . . . . . . . . . 8
6.1.2. Initial Registry Contents . . . . . . . . . . . . . . 8 6.1.2. Initial Registry Contents . . . . . . . . . . . . . . 9
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
7.1. Normative References . . . . . . . . . . . . . . . . . . 10 7.1. Normative References . . . . . . . . . . . . . . . . . . 11
7.2. Informative References . . . . . . . . . . . . . . . . . 11 7.2. Informative References . . . . . . . . . . . . . . . . . 12
Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 13 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 13
Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 13 Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 14
Appendix C. Document History . . . . . . . . . . . . . . . . . . 13 Appendix C. Document History . . . . . . . . . . . . . . . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
The "amr" (Authentication Methods References) claim is defined and The "amr" (Authentication Methods References) claim is defined and
registered in the IANA "JSON Web Token Claims" registry registered in the IANA "JSON Web Token Claims" registry
[IANA.JWT.Claims] but no standard Authentication Method Reference [IANA.JWT.Claims] but no standard Authentication Method Reference
values are currently defined. This specification establishes a values are currently defined. This specification establishes a
registry for Authentication Method Reference values and defines an registry for Authentication Method Reference values and defines an
initial set of Authentication Method Reference values. initial set of Authentication Method Reference values.
skipping to change at page 3, line 7 skipping to change at page 3, line 7
OPTIONAL. Authentication Methods References. JSON array of OPTIONAL. Authentication Methods References. JSON array of
strings that are identifiers for authentication methods used in strings that are identifiers for authentication methods used in
the authentication. For instance, values might indicate that both the authentication. For instance, values might indicate that both
password and OTP authentication methods were used. The definition password and OTP authentication methods were used. The definition
of particular values to be used in the "amr" Claim is beyond the of particular values to be used in the "amr" Claim is beyond the
scope of this specification. Parties using this claim will need scope of this specification. Parties using this claim will need
to agree upon the meanings of the values used, which may be to agree upon the meanings of the values used, which may be
context-specific. The "amr" value is an array of case sensitive context-specific. The "amr" value is an array of case sensitive
strings. strings.
The "amr" values defined by this specification is not intended to be Each "amr" value typically provides an identifier for a family of
closely-related authentication methods. For example, the "otp"
identifier intentionally covers both time-based and HMAC-based OTPs.
Many relying parties will be content to know that an OTP has been
used in addition to a password; the distinction between which kind of
OTP was used is not useful to them. Thus, there's a single
identifier that can be satisfied in two or more nearly equivalent
ways.
Similarly, there's a whole range of nuances between different
fingerprint matching algorithms. They differ in false positive and
false negative rates over different population samples and also
differ based on the kind and model of fingerprint sensor used. Like
the OTP case, many relying parties will be content to know that a
fingerprint match mas made, without delving into and differentiating
based on every aspect of the implementation of fingerprint capture
and match. The "fpt" identifier accomplishes this.
Ultimately, the relying party is depending upon the identity provider
to do reasonable things. If it does not trust the identity provider
to do so, it has no business using it. The "amr" value lets the
identity provider signal to the relying party additional information
about what it did, for the cases in which that information is useful
to the relying party.
The "amr" values defined by this specification are not intended to be
an exhaustive set covering all use cases. Additional values can and an exhaustive set covering all use cases. Additional values can and
will be added to the registry by other specifications. Rather, the will be added to the registry by other specifications. Rather, the
values defined herein are an intentionally small set that are already values defined herein are an intentionally small set that are already
actually being used in practice. actually being used in practice.
The values defined by this specification only make distinctions that
are known to be useful to relying parties. Slicing things more
finely than would be used in practice would actually hurt interop,
rather than helping it, because it would force relying parties to
recognize that several or many different values actually mean the
same thing to them.
For context, while the claim values registered pertain to For context, while the claim values registered pertain to
authentication, note that OAuth 2.0 [RFC6749] is designed for authentication, note that OAuth 2.0 [RFC6749] is designed for
resource authorization and cannot be used for authentication without resource authorization and cannot be used for authentication without
employing appropriate extensions, such as those defined by OpenID employing appropriate extensions, such as those defined by OpenID
Connect Core 1.0 [OpenID.Core]. The existence of the "amr" claim and Connect Core 1.0 [OpenID.Core]. The existence of the "amr" claim and
values for it should not be taken as encouragement to try to use values for it should not be taken as encouragement to try to use
OAuth 2.0 for authentication without employing extensions enabling OAuth 2.0 for authentication without employing extensions enabling
secure authentication to be performed. secure authentication to be performed.
When used with OpenID Connect, if the identity provider supplies an When used with OpenID Connect, if the identity provider supplies an
skipping to change at page 6, line 33 skipping to change at page 7, line 15
Authentication Method Reference values is beyond the scope of this Authentication Method Reference values is beyond the scope of this
specification. specification.
5. Security Considerations 5. Security Considerations
The security considerations in OpenID Connect Core 1.0 [OpenID.Core] The security considerations in OpenID Connect Core 1.0 [OpenID.Core]
and OAuth 2.0 [RFC6749] and the OAuth 2.0 Threat Model [RFC6819] and OAuth 2.0 [RFC6749] and the OAuth 2.0 Threat Model [RFC6819]
apply to applications using this specification. apply to applications using this specification.
As described in Section 3, taking a dependence upon particular As described in Section 3, taking a dependence upon particular
authentication methods may result in brittle systems, since the authentication methods may result in brittle systems since the
authentication methods that may be appropriate for a given authentication methods that may be appropriate for a given
authentication will vary over time. authentication will vary over time.
6. IANA Considerations 6. IANA Considerations
6.1. Authentication Method Reference Values Registry 6.1. Authentication Method Reference Values Registry
This specification establishes the IANA "Authentication Method This specification establishes the IANA "Authentication Method
Reference Values" registry for "amr" claim array element values. The Reference Values" registry for "amr" claim array element values. The
registry records the Authentication Method Reference value and a registry records the Authentication Method Reference value and a
skipping to change at page 12, line 7 skipping to change at page 12, line 40
[NIST.800-63-2] [NIST.800-63-2]
National Institute of Standards and Technology (NIST), National Institute of Standards and Technology (NIST),
"Electronic Authentication Guideline", NIST Special "Electronic Authentication Guideline", NIST Special
Publication 800-63-2, August 2013, Publication 800-63-2, August 2013,
<http://nvlpubs.nist.gov/nistpubs/SpecialPublications/ <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/
NIST.SP.800-63-2.pdf>. NIST.SP.800-63-2.pdf>.
[OpenID.MODRNA] [OpenID.MODRNA]
Connotte, J. and J. Bradley, "OpenID Connect MODRNA Connotte, J. and J. Bradley, "OpenID Connect MODRNA
Authentication Profile 1.0", September 2016, Authentication Profile 1.0", March 2017,
<https://bitbucket.org/openid/mobile/raw/default/draft- <http://openid.net/specs/
mobile-authentication-01.txt>. openid-connect-modrna-authentication-1_0.html>.
[RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure [RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure
Certificate Request Message Format (CRMF)", RFC 4211, Certificate Request Message Format (CRMF)", RFC 4211,
DOI 10.17487/RFC4211, September 2005, DOI 10.17487/RFC4211, September 2005,
<http://www.rfc-editor.org/info/rfc4211>. <http://www.rfc-editor.org/info/rfc4211>.
[RFC4226] M'Raihi, D., Bellare, M., Hoornaert, F., Naccache, D., and [RFC4226] M'Raihi, D., Bellare, M., Hoornaert, F., Naccache, D., and
O. Ranen, "HOTP: An HMAC-Based One-Time Password O. Ranen, "HOTP: An HMAC-Based One-Time Password
Algorithm", RFC 4226, DOI 10.17487/RFC4226, December 2005, Algorithm", RFC 4226, DOI 10.17487/RFC4226, December 2005,
<http://www.rfc-editor.org/info/rfc4226>. <http://www.rfc-editor.org/info/rfc4226>.
skipping to change at page 13, line 42 skipping to change at page 14, line 20
values. Jari Arkko, John Bradley, Ben Campbell, Brian Campbell, values. Jari Arkko, John Bradley, Ben Campbell, Brian Campbell,
William Denniss, Linda Dunbar, Stephen Farrell, Paul Kyzivat, Elaine William Denniss, Linda Dunbar, Stephen Farrell, Paul Kyzivat, Elaine
Newton, James Manger, Catherine Meadows, Alexey Melnikov, Kathleen Newton, James Manger, Catherine Meadows, Alexey Melnikov, Kathleen
Moriarty, Nat Sakimura, and Mike Schwartz provided reviews of the Moriarty, Nat Sakimura, and Mike Schwartz provided reviews of the
specification. specification.
Appendix C. Document History Appendix C. Document History
[[ to be removed by the RFC editor before publication as an RFC ]] [[ to be removed by the RFC editor before publication as an RFC ]]
-05 -07
o Clarified that the values are intended to provide identifiers for
families of closely-related authentication methods.
o Updated the MODRNA Authentication Profile reference.
-06
o Addressed IESG comments. Identifiers are now restricted to using o Addressed IESG comments. Identifiers are now restricted to using
only printable JSON-friendly ASCII characters. Additional only printable JSON-friendly ASCII characters. Additional
references to documentation relevant to specific AMR values were references to documentation relevant to specific AMR values were
added. added.
-05 -05
o Specified characters allowed in "amr" values, reusing the IANA o Specified characters allowed in "amr" values, reusing the IANA
Considerations language on this topic from RFC 7638. Considerations language on this topic from RFC 7638.
 End of changes. 13 change blocks. 
25 lines changed or deleted 63 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/