TOC 
DraftM. Jones
 Microsoft
 July 5, 2016


OpenID Connect Extended Authentication Profile (EAP) ACR Values 1.0 - draft 00

Abstract

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.

This specification enables OpenID Connect Relying Parties to request that specific authentication context classes be applied to authentications performed and for OpenID Providers to inform Relying Parties whether these requests were satisfied. Specifically, an authentication context class reference value is defined that requests that phishing-resistant authentication be performed and another is defined that requests that phishing-resistant authentication with a hardware-protected key be performed. These policies can be satisfied, for instance, by using W3C scoped credentials or FIDO authenticators.



Table of Contents

1.  Introduction
    1.1.  Requirements Notation and Conventions
    1.2.  Terminology
2.  Authentication Context Class Reference Values
3.  Security Considerations
4.  IANA Considerations
    4.1.  Level of Assurance Profiles Registration
        4.1.1.  Registry Contents
5.  References
    5.1.  Normative References
    5.2.  Informative References
Appendix A.  Acknowledgements
Appendix B.  Notices
Appendix C.  Open Issues
Appendix D.  Document History
§  Author's Address




 TOC 

1.  Introduction

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 [RFC6749] (Hardt, D., Ed., “The OAuth 2.0 Authorization Framework,” October 2012.) protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.

This specification enables OpenID Connect [OpenID.Core] (Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and C. Mortimore, “OpenID Connect Core 1.0,” November 2014.) Relying Parties to request that specific authentication context classes be applied to authentications performed and for OpenID Providers to inform Relying Parties whether these requests were satisfied. Specifically, an authentication context class reference value is defined that requests that phishing-resistant authentication be performed and another is defined that requests that phishing-resistant authentication with a hardware-protected key be performed. These policies can be satisfied, for instance, by using W3C scoped credentials [W3C.WD‑webauthn‑20160531] (Bharadwaj, V., Le Van Gong, H., Balfanz, D., Czeskis, A., Birgisson, A., Hodges, J., B. Jones, M., and R. Lindemann, “Web Authentication: A Web API for accessing scoped credentials,” May 2016.) or FIDO authenticators.



 TOC 

1.1.  Requirements Notation and Conventions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.) [RFC2119].

In the .txt version of this specification, values are quoted to indicate that they are to be taken literally. When using these values in protocol messages, the quotes MUST NOT be used as part of the value. In the HTML version of this specification, values to be taken literally are indicated by the use of this fixed-width font.



 TOC 

1.2.  Terminology

This specification uses the terms defined by OpenID Connect Core 1.0 (Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and C. Mortimore, “OpenID Connect Core 1.0,” November 2014.) [OpenID.Core].



 TOC 

2.  Authentication Context Class Reference Values

The acr (Authentication Context Class Reference) claim and associated acr_values request parameter are defined by the OpenID Connect Core 1.0 specification [OpenID.Core] (Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and C. Mortimore, “OpenID Connect Core 1.0,” November 2014.). The following Authentication Context Class Reference values are defined by this specification:

phr
Phishing-Resistant. An authentication mechanism where a party potentially under the control of the Relying Party cannot gain sufficient information to be able to successfully authenticate to the End User's OpenID Provider as if that party were the End User. (Note that the potentially malicious Relying Party controls where the User-Agent is redirected to and thus may not send it to the End User's actual OpenID Provider). NOTE: These semantics are the same as those specified in [OpenID.PAPE] (Recordon, D., Jones, M., Bufu, J., Ed., Daugherty, J., Ed., and N. Sakimura, “OpenID Provider Authentication Policy Extension 1.0,” December 2008.).
phrh
Phishing-Resistant Hardware-Protected. An authentication mechanism meeting the requirements for phishing-resistant authentication above in which additionally information needed to be able to successfully authenticate to the End User's OpenID Provider as if that party were the End User is held in a hardware-protected device or component.



 TOC 

3.  Security Considerations

Per commonly accepted security practices, it should be noted that the overall strength of any authentication is only as strong as its weakest step. It is thus recommended that provisioning of phishing-resistant and other credentials stronger than shared secrets should be accomplished using methods that are at least as strong as the credential being provisioned. By counter-example, allowing people to retrieve a phishing-resistant credential using only a phishable shared secret negates much of the value provided by the phishing-resistant credential itself. Similarly, sometimes using a phishing-resistant method when a phishable method continues to also sometimes be employed may still enable phishing attacks to compromise the authentication.



 TOC 

4.  IANA Considerations



 TOC 

4.1.  Level of Assurance Profiles Registration

This specification registers the following values in the IANA "Level of Assurance Profiles" registry [IANA.LoA] (IANA, “Level of Assurance Profiles,” .) established by [RFC6711] (Johansson, L., “An IANA Registry for Level of Assurance (LoA) Profiles,” August 2012.):



 TOC 

4.1.1.  Registry Contents



 TOC 

5.  References



 TOC 

5.1. Normative References

[IANA.LoA] IANA, “Level of Assurance Profiles.”
[OpenID.Core] Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and C. Mortimore, “OpenID Connect Core 1.0,” November 2014.
[RFC2119] Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.
[RFC6711] Johansson, L., “An IANA Registry for Level of Assurance (LoA) Profiles,” RFC 6711, DOI 10.17487/RFC6711, August 2012.
[RFC6749] Hardt, D., Ed., “The OAuth 2.0 Authorization Framework,” RFC 6749, DOI 10.17487/RFC6749, October 2012.


 TOC 

5.2. Informative References

[OpenID.PAPE] Recordon, D., Jones, M., Bufu, J., Ed., Daugherty, J., Ed., and N. Sakimura, “OpenID Provider Authentication Policy Extension 1.0,” December 2008.
[W3C.WD-webauthn-20160531] Bharadwaj, V., Le Van Gong, H., Balfanz, D., Czeskis, A., Birgisson, A., Hodges, J., B. Jones, M., and R. Lindemann, “Web Authentication: A Web API for accessing scoped credentials,” World Wide Web Consortium First Public Working Draft WD-webauthn-20160531, May 2016 (HTML).


 TOC 

Appendix A.  Acknowledgements

The phishing-resistant authentication definition is a result of earlier work done by the OpenID Provider Authentication Policy Extension working group.



 TOC 

Appendix B.  Notices

Copyright (c) 2016 The OpenID Foundation.

The OpenID Foundation (OIDF) grants to any Contributor, developer, implementer, or other interested party a non-exclusive, royalty free, worldwide copyright license to reproduce, prepare derivative works from, distribute, perform and display, this Implementers Draft or Final Specification solely for the purposes of (i) developing specifications, and (ii) implementing Implementers Drafts and Final Specifications based on such documents, provided that attribution be made to the OIDF as the source of the material, but that such attribution does not indicate an endorsement by the OIDF.

The technology described in this specification was made available from contributions from various sources, including members of the OpenID Foundation and others. Although the OpenID Foundation has taken steps to help ensure that the technology is available for distribution, it takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this specification or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any independent effort to identify any such rights. The OpenID Foundation and the contributors to this specification make no (and hereby expressly disclaim any) warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to this specification, and the entire risk as to implementing this specification is assumed by the implementer. The OpenID Intellectual Property Rights policy requires contributors to offer a patent promise not to assert certain patent claims against other contributors and against implementers. The OpenID Foundation invites any interested party to bring to its attention any copyrights, patents, patent applications, or other proprietary rights that may cover technology that may be required to practice this specification.



 TOC 

Appendix C.  Open Issues

In the IANA registration for the phr (phishing-resistant) acr value, should we reuse the URI http://schemas.openid.net/pape/policies/2007/06/phishing-resistant already defined by [OpenID.PAPE] (Recordon, D., Jones, M., Bufu, J., Ed., Daugherty, J., Ed., and N. Sakimura, “OpenID Provider Authentication Policy Extension 1.0,” December 2008.) with this meaning, or define a new one that's parallel to http://schemas.openid.net/acr/2016/07/phishing-resistant-hardware? (This may not matter a lot since the short names phr and phrh are what would be used in practice in OpenID Connect anyway.)



 TOC 

Appendix D.  Document History

[[ To be removed from the final specification ]]

-00



 TOC 

Author's Address

  Michael B. Jones
  Microsoft
Email:  mbj@microsoft.com
URI:  http://self-issued.info/