Authentication Method Reference Values
Microsoft
mbj@microsoft.com
http://self-issued.info/
Oracle
phil.hunt@yahoo.com
Security Area
OAuth Working Group
Authentication Method Reference
Authentication Method
"amr" Claim
The amr (Authentication Methods References) claim
is defined and registered in the IANA "JSON Web Token Claims" registry
but no standard Authentication Method Reference values are currently defined.
This specification establishes a registry for Authentication Method Reference
values and defines an initial set of Authentication Method Reference values.
It also defines the amr_values
(requested Authentication Method Reference values) request parameter
for requesting that a set of Authentication Method Reference values
be used for processing the Authentication Request.
The amr (Authentication Methods References) claim
is defined and registered in the IANA "JSON Web Token Claims" registry
but no standard Authentication Method Reference values are currently defined.
This specification establishes a registry for Authentication Method Reference
values and defines an initial set of Authentication Method Reference values.
It also defines the amr_values
(requested Authentication Method Reference values) request parameter
for requesting that a set of Authentication Method Reference values
be used for processing the Authentication Request.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL"
in this document are to be interpreted as described in
RFC 2119 .
This specification uses the terms
defined by JSON Web Token (JWT) and
OpenID Connect Core 1.0 .
The amr (Authentication Methods References) claim
is defined by the OpenID Connect Core 1.0 specification
as follows:
OPTIONAL.
Authentication Methods References.
JSON array of strings that are identifiers for authentication methods
used in the authentication.
For instance, values might indicate that both password and OTP
authentication methods were used.
The definition of particular values to be used in the
amr Claim
is beyond the scope of this specification.
Parties using this claim will need to agree upon the meanings of
the values used, which may be context-specific.
The amr value is an array of
case sensitive strings.
However, OpenID Connect does not specify any particular
Authentication Method Reference values
to be used in the amr claim.
The following is a list of Authentication Method Reference values
defined by this specification:
Password authentication, either by the user or
the service if a client secret is used
Proof of possession of a key
One time password
Fingerprint biometric
Retina scan biometric
Voice biometric
Confirmation by telephone call
Confirmation by SMS reply
Knowledge based authentication
Windows integrated authentication
Multiple factor authentication.
When this is present,
the other authentication methods used will also be included.
This section defines the following authentication request parameter,
augmenting the set of authentication request parameters defined in
Section 3.1.2.1 of OpenID Connect Core 1.0 :
OPTIONAL.
Requested Authentication Method Reference values.
Space-separated string that specifies the amr
values that the Authorization Server is being requested to use
for processing this Authentication Request,
with the values appearing in order of preference.
The authentication methods used for the authentication
performed are returned as the amr Claim Value.
The acr (Authentication Context Class Reference)
claim and acr_values request parameter
are related to
the amr (Authentication Methods References)
claim and amr_values request parameter,
but with important differences.
Authentication Context Classes specify a set of business rules that
authentications are being requested to satisfy.
These rules can often be satisfied by using a number of different
specific authentication methods, either singly or in combination.
Interactions using acr request that
specified Authentication Context Classes be used and
reply saying which Authentication Context Class was satisfied.
The reply states that it was satisfied -- not how it was satisfied.
In contrast, interactions using amr
make statements about the particular authentication methods that are used.
This tends to be more brittle than using acr
since the authentication methods that may be appropriate for a given
authentication will vary over time, both because of the evolution of attacks
on existing methods and the creation of new authentication methods.
The list of amr claim values returned in
an ID Token reveals information about the way that the end-user
authenticated to the identity provider.
In some cases, this information may have privacy implications.
The security considerations in
OpenID Connect Core 1.0 ,
OAuth 2.0 , and
the OAuth 2.0 Threat Model
apply to this specification.
As described in , taking a dependence
upon particular authentication methods may result in brittle systems,
since the authentication methods that may be appropriate for a given
authentication will vary over time.
This specification establishes the
IANA "Authentication Method Reference Values" registry
for amr claim array element values.
The registry records the Authentication Method Reference value
and a reference to the specification that defines it.
This specification registers the Authentication Method Reference values
defined in .
Values are registered on a Specification Required
basis after a three-week review period on the jwt-reg-review@ietf.org mailing
list, on the advice of one or more Designated Experts. However, to allow for the
allocation of values prior to publication, the Designated Experts may approve
registration once they are satisfied that such a specification will be published.
Registration requests sent to the mailing list for review should use
an appropriate subject
(e.g., "Request to register Authentication Method Reference value: otp").
Within the review period, the Designated Experts will either approve or
deny the registration request, communicating this decision to the review list and IANA.
Denials should include an explanation and, if applicable, suggestions as to how to make
the request successful.
Registration requests that are undetermined for
a period longer than 21 days can be brought to the IESG's attention
(using the iesg@ietf.org mailing list) for resolution.
Criteria that should be applied by the Designated Experts includes
determining whether the proposed registration duplicates existing functionality,
whether it is likely to be of general applicability
or whether it is useful only for a single application,
and whether the registration description is clear.
IANA must only accept registry updates from the Designated Experts and should direct
all requests for registration to the review mailing list.
It is suggested that the same Designated Experts evaluate these
registration requests as those who evaluate registration requests
for the IANA "JSON Web Token Claims" registry .
The name requested (e.g., "otp").
Because a core goal of this specification is for the resulting
representations to be compact, it is RECOMMENDED that the name be short
-- that is, not to exceed 8 characters without a compelling reason to do so.
This name is case sensitive.
Names may not match other registered names in a case-insensitive manner
unless the Designated Experts state that there is a compelling reason
to allow an exception.
Brief description of the Authentication Method Reference
(e.g., "One time password").
For Standards Track RFCs, state "IESG". For others, give the name of the
responsible party. Other details (e.g., postal address, email address, home page
URI) may also be included.
Reference to the document or documents that specify the parameter,
preferably including URIs that
can be used to retrieve copies of the documents.
An indication of the relevant
sections may also be included but is not required.
Authentication Method Reference Name: pwd
Authentication Method Reference Description:
Password authentication, either by the user or
the service if a client secret is used
Change Controller: IESG
Specification Document(s): of [[ this document ]]
Authentication Method Reference Name: pop
Authentication Method Reference Description:
Proof of possession of a key
Change Controller: IESG
Specification Document(s): of [[ this document ]]
Authentication Method Reference Name: otp
Authentication Method Reference Description:
One time password
Change Controller: IESG
Specification Document(s): of [[ this document ]]
Authentication Method Reference Name: fpt
Authentication Method Reference Description:
Fingerprint biometric
Change Controller: IESG
Specification Document(s): of [[ this document ]]
Authentication Method Reference Name: eye
Authentication Method Reference Description:
Retina scan biometric
Change Controller: IESG
Specification Document(s): of [[ this document ]]
Authentication Method Reference Name: vbm
Authentication Method Reference Description:
Voice biometric
Change Controller: IESG
Specification Document(s): of [[ this document ]]
Authentication Method Reference Name: tel
Authentication Method Reference Description:
Confirmation by telephone call
Change Controller: IESG
Specification Document(s): of [[ this document ]]
Authentication Method Reference Name: sms
Authentication Method Reference Description:
Confirmation by SMS reply
Change Controller: IESG
Specification Document(s): of [[ this document ]]
Authentication Method Reference Name: kba
Authentication Method Reference Description:
Knowledge based authentication
Change Controller: IESG
Specification Document(s): of [[ this document ]]
Authentication Method Reference Name: wia
Authentication Method Reference Description:
Windows integrated authentication
Change Controller: IESG
Specification Document(s): of [[ this document ]]
Authentication Method Reference Name: mfa
Authentication Method Reference Description:
Multiple factor authentication
Change Controller: IESG
Specification Document(s): of [[ this document ]]
This section registers the following parameter
in the IANA "OAuth Parameters" registry
established in RFC 6749 .
Parameter name: amr_values
Parameter usage location: Authorization Request
Change controller: IESG
Specification document(s): of [[ this document ]]
Related information: None
OpenID Connect Core 1.0
Nomura Research Institute, Ltd.
Ping Identity
Microsoft
Google
Salesforce
JSON Web Token (JWT)
Microsoft
mbj@microsoft.com
http://self-issued.info/
Ping Identity
ve7jtb@ve7jtb.com
http://www.thread-safe.com/
Nomura Research Institute
n-sakimura@nri.co.jp
http://nat.sakimura.org/
JSON Web Token Claims
IANA
OAuth Parameters
IANA
[[ to be removed by the RFC editor before publication as an RFC
]]
-00
Defined the IANA "Authentication Method Reference Values" registry.