idnits 2.17.1 draft-jones-oauth-amr-values-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 22, 2015) is 3201 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 5226 (Obsoleted by RFC 8126) Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 OAuth Working Group M. Jones 3 Internet-Draft Microsoft 4 Intended status: Standards Track P. Hunt 5 Expires: January 23, 2016 Oracle 6 July 22, 2015 8 Authentication Method Reference Values 9 draft-jones-oauth-amr-values-00 11 Abstract 13 The "amr" (Authentication Methods References) claim is defined and 14 registered in the IANA "JSON Web Token Claims" registry but no 15 standard Authentication Method Reference values are currently 16 defined. This specification establishes a registry for 17 Authentication Method Reference values and defines an initial set of 18 Authentication Method Reference values. It also defines the 19 "amr_values" (requested Authentication Method Reference values) 20 request parameter for requesting that a set of Authentication Method 21 Reference values be used for processing the Authentication Request. 23 Status of this Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on January 23, 2016. 40 Copyright Notice 42 Copyright (c) 2015 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 1.1. Requirements Notation and Conventions . . . . . . . . . . 3 59 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 60 2. Authentication Method Reference Values . . . . . . . . . . . . 3 61 3. Authentication Request Parameter . . . . . . . . . . . . . . . 4 62 4. Relationship to "acr" (Authentication Context Class 63 Reference) . . . . . . . . . . . . . . . . . . . . . . . . . . 5 64 5. Privacy Considerations . . . . . . . . . . . . . . . . . . . . 5 65 6. Security Considerations . . . . . . . . . . . . . . . . . . . 5 66 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 67 7.1. Authentication Method Reference Values Registry . . . . . 6 68 7.1.1. Registration Template . . . . . . . . . . . . . . . . 6 69 7.1.2. Initial Registry Contents . . . . . . . . . . . . . . 7 70 7.2. OAuth Parameters Registration . . . . . . . . . . . . . . 8 71 7.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 9 72 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 73 8.1. Normative References . . . . . . . . . . . . . . . . . . . 9 74 8.2. Informative References . . . . . . . . . . . . . . . . . . 9 75 Appendix A. Document History . . . . . . . . . . . . . . . . . . 10 76 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10 78 1. Introduction 80 The "amr" (Authentication Methods References) claim is defined and 81 registered in the IANA "JSON Web Token Claims" registry 82 [IANA.JWT.Claims] but no standard Authentication Method Reference 83 values are currently defined. This specification establishes a 84 registry for Authentication Method Reference values and defines an 85 initial set of Authentication Method Reference values. It also 86 defines the "amr_values" (requested Authentication Method Reference 87 values) request parameter for requesting that a set of Authentication 88 Method Reference values be used for processing the Authentication 89 Request. 91 1.1. Requirements Notation and Conventions 93 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 94 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 95 "OPTIONAL" in this document are to be interpreted as described in RFC 96 2119 [RFC2119]. 98 1.2. Terminology 100 This specification uses the terms defined by JSON Web Token (JWT) 101 [JWT] and OpenID Connect Core 1.0 [OpenID.Core]. 103 2. Authentication Method Reference Values 105 The "amr" (Authentication Methods References) claim is defined by the 106 OpenID Connect Core 1.0 specification [OpenID.Core] as follows: 108 amr 109 OPTIONAL. Authentication Methods References. JSON array of 110 strings that are identifiers for authentication methods used in 111 the authentication. For instance, values might indicate that both 112 password and OTP authentication methods were used. The definition 113 of particular values to be used in the "amr" Claim is beyond the 114 scope of this specification. Parties using this claim will need 115 to agree upon the meanings of the values used, which may be 116 context-specific. The "amr" value is an array of case sensitive 117 strings. 119 However, OpenID Connect does not specify any particular 120 Authentication Method Reference values to be used in the "amr" claim. 121 The following is a list of Authentication Method Reference values 122 defined by this specification: 124 pwd 125 Password authentication, either by the user or the service if a 126 client secret is used 128 pop 129 Proof of possession of a key 131 otp 132 One time password 134 fpt 135 Fingerprint biometric 137 eye 138 Retina scan biometric 140 vbm 141 Voice biometric 143 tel 144 Confirmation by telephone call 146 sms 147 Confirmation by SMS reply 149 kba 150 Knowledge based authentication 152 wia 153 Windows integrated authentication 155 mfa 156 Multiple factor authentication. When this is present, the other 157 authentication methods used will also be included. 159 3. Authentication Request Parameter 161 This section defines the following authentication request parameter, 162 augmenting the set of authentication request parameters defined in 163 Section 3.1.2.1 of OpenID Connect Core 1.0 [OpenID.Core]: 165 amr_values 166 OPTIONAL. Requested Authentication Method Reference values. 167 Space-separated string that specifies the "amr" values that the 168 Authorization Server is being requested to use for processing this 169 Authentication Request, with the values appearing in order of 170 preference. The authentication methods used for the 171 authentication performed are returned as the "amr" Claim Value. 173 4. Relationship to "acr" (Authentication Context Class Reference) 175 The "acr" (Authentication Context Class Reference) claim and 176 "acr_values" request parameter are related to the "amr" 177 (Authentication Methods References) claim and "amr_values" request 178 parameter, but with important differences. Authentication Context 179 Classes specify a set of business rules that authentications are 180 being requested to satisfy. These rules can often be satisfied by 181 using a number of different specific authentication methods, either 182 singly or in combination. Interactions using "acr" request that 183 specified Authentication Context Classes be used and reply saying 184 which Authentication Context Class was satisfied. The reply states 185 that it was satisfied -- not how it was satisfied. 187 In contrast, interactions using "amr" make statements about the 188 particular authentication methods that are used. This tends to be 189 more brittle than using "acr" since the authentication methods that 190 may be appropriate for a given authentication will vary over time, 191 both because of the evolution of attacks on existing methods and the 192 creation of new authentication methods. 194 5. Privacy Considerations 196 The list of "amr" claim values returned in an ID Token reveals 197 information about the way that the end-user authenticated to the 198 identity provider. In some cases, this information may have privacy 199 implications. 201 6. Security Considerations 203 The security considerations in OpenID Connect Core 1.0 [OpenID.Core], 204 OAuth 2.0 [RFC6749], and the OAuth 2.0 Threat Model [RFC6819] apply 205 to this specification. 207 As described in Section 4, taking a dependence upon particular 208 authentication methods may result in brittle systems, since the 209 authentication methods that may be appropriate for a given 210 authentication will vary over time. 212 7. IANA Considerations 213 7.1. Authentication Method Reference Values Registry 215 This specification establishes the IANA "Authentication Method 216 Reference Values" registry for "amr" claim array element values. The 217 registry records the Authentication Method Reference value and a 218 reference to the specification that defines it. This specification 219 registers the Authentication Method Reference values defined in 220 Section 2. 222 Values are registered on a Specification Required [RFC5226] basis 223 after a three-week review period on the jwt-reg-review@ietf.org 224 mailing list, on the advice of one or more Designated Experts. 225 However, to allow for the allocation of values prior to publication, 226 the Designated Experts may approve registration once they are 227 satisfied that such a specification will be published. 229 Registration requests sent to the mailing list for review should use 230 an appropriate subject (e.g., "Request to register Authentication 231 Method Reference value: otp"). 233 Within the review period, the Designated Experts will either approve 234 or deny the registration request, communicating this decision to the 235 review list and IANA. Denials should include an explanation and, if 236 applicable, suggestions as to how to make the request successful. 237 Registration requests that are undetermined for a period longer than 238 21 days can be brought to the IESG's attention (using the 239 iesg@ietf.org mailing list) for resolution. 241 Criteria that should be applied by the Designated Experts includes 242 determining whether the proposed registration duplicates existing 243 functionality, whether it is likely to be of general applicability or 244 whether it is useful only for a single application, and whether the 245 registration description is clear. 247 IANA must only accept registry updates from the Designated Experts 248 and should direct all requests for registration to the review mailing 249 list. 251 It is suggested that the same Designated Experts evaluate these 252 registration requests as those who evaluate registration requests for 253 the IANA "JSON Web Token Claims" registry [IANA.JWT.Claims]. 255 7.1.1. Registration Template 256 Authentication Method Reference Name: 257 The name requested (e.g., "otp"). Because a core goal of this 258 specification is for the resulting representations to be compact, 259 it is RECOMMENDED that the name be short -- that is, not to exceed 260 8 characters without a compelling reason to do so. This name is 261 case sensitive. Names may not match other registered names in a 262 case-insensitive manner unless the Designated Experts state that 263 there is a compelling reason to allow an exception. 265 Authentication Method Reference Description: 266 Brief description of the Authentication Method Reference (e.g., 267 "One time password"). 269 Change Controller: 270 For Standards Track RFCs, state "IESG". For others, give the name 271 of the responsible party. Other details (e.g., postal address, 272 email address, home page URI) may also be included. 274 Specification Document(s): 275 Reference to the document or documents that specify the parameter, 276 preferably including URIs that can be used to retrieve copies of 277 the documents. An indication of the relevant sections may also be 278 included but is not required. 280 7.1.2. Initial Registry Contents 282 o Authentication Method Reference Name: "pwd" 283 o Authentication Method Reference Description: Password 284 authentication, either by the user or the service if a client 285 secret is used 286 o Change Controller: IESG 287 o Specification Document(s): Section 2 of [[ this document ]] 289 o Authentication Method Reference Name: "pop" 290 o Authentication Method Reference Description: Proof of possession 291 of a key 292 o Change Controller: IESG 293 o Specification Document(s): Section 2 of [[ this document ]] 295 o Authentication Method Reference Name: "otp" 296 o Authentication Method Reference Description: One time password 297 o Change Controller: IESG 298 o Specification Document(s): Section 2 of [[ this document ]] 300 o Authentication Method Reference Name: "fpt" 301 o Authentication Method Reference Description: Fingerprint biometric 302 o Change Controller: IESG 303 o Specification Document(s): Section 2 of [[ this document ]] 305 o Authentication Method Reference Name: "eye" 306 o Authentication Method Reference Description: Retina scan biometric 307 o Change Controller: IESG 308 o Specification Document(s): Section 2 of [[ this document ]] 310 o Authentication Method Reference Name: "vbm" 311 o Authentication Method Reference Description: Voice biometric 312 o Change Controller: IESG 313 o Specification Document(s): Section 2 of [[ this document ]] 315 o Authentication Method Reference Name: "tel" 316 o Authentication Method Reference Description: Confirmation by 317 telephone call 318 o Change Controller: IESG 319 o Specification Document(s): Section 2 of [[ this document ]] 321 o Authentication Method Reference Name: "sms" 322 o Authentication Method Reference Description: Confirmation by SMS 323 reply 324 o Change Controller: IESG 325 o Specification Document(s): Section 2 of [[ this document ]] 327 o Authentication Method Reference Name: "kba" 328 o Authentication Method Reference Description: Knowledge based 329 authentication 330 o Change Controller: IESG 331 o Specification Document(s): Section 2 of [[ this document ]] 333 o Authentication Method Reference Name: "wia" 334 o Authentication Method Reference Description: Windows integrated 335 authentication 336 o Change Controller: IESG 337 o Specification Document(s): Section 2 of [[ this document ]] 339 o Authentication Method Reference Name: "mfa" 340 o Authentication Method Reference Description: Multiple factor 341 authentication 342 o Change Controller: IESG 343 o Specification Document(s): Section 2 of [[ this document ]] 345 7.2. OAuth Parameters Registration 347 This section registers the following parameter in the IANA "OAuth 348 Parameters" registry [IANA.OAuth.Parameters] established in RFC 6749 349 [RFC6749]. 351 7.2.1. Registry Contents 353 o Parameter name: "amr_values" 354 o Parameter usage location: Authorization Request 355 o Change controller: IESG 356 o Specification document(s): Section 3 of [[ this document ]] 357 o Related information: None 359 8. References 361 8.1. Normative References 363 [IANA.JWT.Claims] 364 IANA, "JSON Web Token Claims", 365 . 367 [IANA.OAuth.Parameters] 368 IANA, "OAuth Parameters", 369 . 371 [JWT] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token 372 (JWT)", RFC 7519, May 2015, 373 . 375 [OpenID.Core] 376 Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and 377 C. Mortimore, "OpenID Connect Core 1.0", November 2014. 379 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 380 Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ 381 RFC2119, March 1997, 382 . 384 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 385 IANA Considerations Section in RFCs", BCP 26, RFC 5226, 386 DOI 10.17487/RFC5226, May 2008, 387 . 389 [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", 390 RFC 6749, DOI 10.17487/RFC6749, October 2012, 391 . 393 8.2. Informative References 395 [RFC6819] Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0 396 Threat Model and Security Considerations", RFC 6819, 397 DOI 10.17487/RFC6819, January 2013, 398 . 400 Appendix A. Document History 402 [[ to be removed by the RFC editor before publication as an RFC ]] 404 -00 406 o Defined the IANA "Authentication Method Reference Values" 407 registry. 409 Authors' Addresses 411 Michael B. Jones 412 Microsoft 414 Email: mbj@microsoft.com 415 URI: http://self-issued.info/ 417 Phil Hunt 418 Oracle 420 Email: phil.hunt@yahoo.com