|OAuth Working Group||M. Jones|
|Intended status: Standards Track||P. Hunt|
|Expires: January 8, 2017||Oracle|
|July 7, 2016|
Authentication Method Reference Values
The amr (Authentication Methods References) claim is defined and registered in the IANA "JSON Web Token Claims" registry but no standard Authentication Method Reference values are currently defined. This specification establishes a registry for Authentication Method Reference values and defines an initial set of Authentication Method Reference values.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 8, 2017.
Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
The amr (Authentication Methods References) claim is defined and registered in the IANA "JSON Web Token Claims" registry [IANA.JWT.Claims] but no standard Authentication Method Reference values are currently defined. This specification establishes a registry for Authentication Method Reference values and defines an initial set of Authentication Method Reference values.
The set of amr values defined by this specification is not intended to be an exhaustive set covering all use cases. Additional values can and will be added to the registry by other specifications. Rather, the values defined herein are an intentionally small set that are already actually being used in practice.
For context, while the claim values registered pertain to authentication, note that OAuth 2.0 [RFC6749] is designed for resource authorization and cannot be used for authentication without employing appropriate extensions, such as those defined by OpenID Connect Core 1.0 [OpenID.Core]. The existence of the amr claim and values for it should not be taken as encouragement to try to use OAuth 2.0 for authentication without employing extensions enabling secure authentication to be performed.
When used with OpenID Connect, if the identity provider supplies an amr claim in the ID Token resulting from a successful authentication, the relying party can inspect the values returned and thereby learn details about how the authentication was performed. For instance, the relying party might learn that only a password was used or it might learn that iris recognition was used in combination with a hardware-secured key. Whether amr values are provided and which values are understood by what parties are both beyond the scope of this specification. The OpenID Connect MODRNA Authentication Profile 1.0 [OpenID.MODRNA] is one example of an application context that uses amr values defined by this specification.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
This specification uses the terms defined by JSON Web Token (JWT) [JWT] and OpenID Connect Core 1.0 [OpenID.Core].
The amr (Authentication Methods References) claim is defined by the OpenID Connect Core 1.0 specification [OpenID.Core] as follows:
However, OpenID Connect does not specify any particular Authentication Method Reference values to be used in the amr claim. The following is a list of Authentication Method Reference values defined by this specification:
The acr (Authentication Context Class Reference) claim and acr_values request parameter are related to the amr (Authentication Methods References) claim, but with important differences. An Authentication Context Class specifies a set of business rules that authentications are being requested to satisfy. These rules can often be satisfied by using a number of different specific authentication methods, either singly or in combination. Interactions using acr_values request that the specified Authentication Context Classes be used and that the result should contain an acr claim saying which Authentication Context Class was satisfied. The acr claim in the reply states that the business rules for the class were satisfied -- not how they were satisfied.
In contrast, interactions using the amr claim make statements about the particular authentication methods that were used. This tends to be more brittle than using acr, since the authentication methods that may be appropriate for a given authentication will vary over time, both because of the evolution of attacks on existing methods and the deployment of new authentication methods.
The list of amr claim values returned in an ID Token reveals information about the way that the end-user authenticated to the identity provider. In some cases, this information may have privacy implications.
The security considerations in OpenID Connect Core 1.0 [OpenID.Core], OAuth 2.0 [RFC6749], and the OAuth 2.0 Threat Model [RFC6819] apply to this specification.
As described in Section 3, taking a dependence upon particular authentication methods may result in brittle systems, since the authentication methods that may be appropriate for a given authentication will vary over time.
This specification establishes the IANA "Authentication Method Reference Values" registry for amr claim array element values. The registry records the Authentication Method Reference value and a reference to the specification that defines it. This specification registers the Authentication Method Reference values defined in Section 2.
Values are registered on an Expert Review [RFC5226] basis after a three-week review period on the email@example.com mailing list, on the advice of one or more Designated Experts. To increase potential interoperability, the experts are requested to encourage registrants to provide the location of a publicly-accessible specification defining the values being registered, so that their intended usage can be more easily understood.
Registration requests sent to the mailing list for review should use an appropriate subject (e.g., "Request to register Authentication Method Reference value: otp").
Within the review period, the Designated Experts will either approve or deny the registration request, communicating this decision to the review list and IANA. Denials should include an explanation and, if applicable, suggestions as to how to make the request successful. Registration requests that are undetermined for a period longer than 21 days can be brought to the IESG's attention (using the firstname.lastname@example.org mailing list) for resolution.
Criteria that should be applied by the Designated Experts includes determining whether the proposed registration duplicates existing functionality, whether it is likely to be of general applicability or whether it is useful only for a single application, whether the value is actually being used, and whether the registration description is clear.
IANA must only accept registry updates from the Designated Experts and should direct all requests for registration to the review mailing list.
It is suggested that the same Designated Experts evaluate these registration requests as those who evaluate registration requests for the IANA "JSON Web Token Claims" registry [IANA.JWT.Claims].
|[IANA.JWT.Claims]||IANA, "JSON Web Token Claims"|
|[JECM]||Williamson, G., "Enhanced Authentication In Online Banking", Journal of Economic Crime Management 4.2: 18-19, 2006.|
|[JWT]||Jones, M., Bradley, J. and N. Sakimura, "JSON Web Token (JWT)", RFC 7519, May 2015.|
|[MSDN]||Microsoft, "Integrated Windows Authentication with Negotiate", September 2011.|
|[NIST.800-63-2]||National Institute of Standards and Technology (NIST), "Electronic Authentication Guideline", NIST Special Publication 800-63-2, August 2013.|
|[OpenID.Core]||Sakimura, N., Bradley, J., Jones, M., de Medeiros, B. and C. Mortimore, "OpenID Connect Core 1.0", November 2014.|
|[RFC2119]||Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.|
|[RFC4211]||Schaad, J., "Internet X.509 Public Key Infrastructure Certificate Request Message Format (CRMF)", RFC 4211, DOI 10.17487/RFC4211, September 2005.|
|[RFC4226]||M'Raihi, D., Bellare, M., Hoornaert, F., Naccache, D. and O. Ranen, "HOTP: An HMAC-Based One-Time Password Algorithm", RFC 4226, DOI 10.17487/RFC4226, December 2005.|
|[RFC5226]||Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, DOI 10.17487/RFC5226, May 2008.|
|[RFC6238]||M'Raihi, D., Machani, S., Pei, M. and J. Rydell, "TOTP: Time-Based One-Time Password Algorithm", RFC 6238, DOI 10.17487/RFC6238, May 2011.|
|[RFC6749]||Hardt, D., "The OAuth 2.0 Authorization Framework", RFC 6749, DOI 10.17487/RFC6749, October 2012.|
|[OpenID.MODRNA]||Connotte, J. and J. Bradley, "OpenID Connect MODRNA Authentication Profile 1.0", February 2016.|
|[RFC6819]||Lodderstedt, T., McGloin, M. and P. Hunt, "OAuth 2.0 Threat Model and Security Considerations", RFC 6819, DOI 10.17487/RFC6819, January 2013.|
Caleb Baker participated in specifying the original set of amr values. John Bradley, Brian Campbell, William Denniss, James Manger, Nat Sakimura, and Mike Schwartz provided reviews of the specification.
[[ to be removed by the RFC editor before publication as an RFC ]]