Draft M. Jones Microsoft July 5, 2016 OpenID Connect Extended Authentication Profile (EAP) ACR Values 1.0 - draft 00 Abstract OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. This specification enables OpenID Connect Relying Parties to request that specific authentication context classes be applied to authentications performed and for OpenID Providers to inform Relying Parties whether these requests were satisfied. Specifically, an authentication context class reference value is defined that requests that phishing-resistant authentication be performed and another is defined that requests that phishing-resistant authentication with a hardware-protected key be performed. These policies can be satisfied, for instance, by using W3C scoped credentials or FIDO authenticators. Jones [Page 1] OpenID Connect EAP ACR Values 1.0 July 2016 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Notation and Conventions . . . . . . . . . . 3 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 2. Authentication Context Class Reference Values . . . . . . . . 4 3. Security Considerations . . . . . . . . . . . . . . . . . . . 5 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 4.1. Level of Assurance Profiles Registration . . . . . . . . . 6 4.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 6 5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 5.1. Normative References . . . . . . . . . . . . . . . . . . . 7 5.2. Informative References . . . . . . . . . . . . . . . . . . 7 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 8 Appendix B. Notices . . . . . . . . . . . . . . . . . . . . . . . 9 Appendix C. Open Issues . . . . . . . . . . . . . . . . . . . . . 10 Appendix D. Document History . . . . . . . . . . . . . . . . . . 11 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 12 Jones [Page 2] OpenID Connect EAP ACR Values 1.0 July 2016 1. Introduction OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 [RFC6749] protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End- User in an interoperable and REST-like manner. This specification enables OpenID Connect [OpenID.Core] Relying Parties to request that specific authentication context classes be applied to authentications performed and for OpenID Providers to inform Relying Parties whether these requests were satisfied. Specifically, an authentication context class reference value is defined that requests that phishing-resistant authentication be performed and another is defined that requests that phishing- resistant authentication with a hardware-protected key be performed. These policies can be satisfied, for instance, by using W3C scoped credentials [W3C.WD-webauthn-20160531] or FIDO authenticators. 1.1. Requirements Notation and Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. In the .txt version of this specification, values are quoted to indicate that they are to be taken literally. When using these values in protocol messages, the quotes MUST NOT be used as part of the value. In the HTML version of this specification, values to be taken literally are indicated by the use of "this fixed-width font". 1.2. Terminology This specification uses the terms defined by OpenID Connect Core 1.0 [OpenID.Core]. Jones [Page 3] OpenID Connect EAP ACR Values 1.0 July 2016 2. Authentication Context Class Reference Values The "acr" (Authentication Context Class Reference) claim and associated "acr_values" request parameter are defined by the OpenID Connect Core 1.0 specification [OpenID.Core]. The following Authentication Context Class Reference values are defined by this specification: phr Phishing-Resistant. An authentication mechanism where a party potentially under the control of the Relying Party cannot gain sufficient information to be able to successfully authenticate to the End User's OpenID Provider as if that party were the End User. (Note that the potentially malicious Relying Party controls where the User-Agent is redirected to and thus may not send it to the End User's actual OpenID Provider). NOTE: These semantics are the same as those specified in [OpenID.PAPE]. phrh Phishing-Resistant Hardware-Protected. An authentication mechanism meeting the requirements for phishing-resistant authentication above in which additionally information needed to be able to successfully authenticate to the End User's OpenID Provider as if that party were the End User is held in a hardware- protected device or component. Jones [Page 4] OpenID Connect EAP ACR Values 1.0 July 2016 3. Security Considerations Per commonly accepted security practices, it should be noted that the overall strength of any authentication is only as strong as its weakest step. It is thus recommended that provisioning of phishing- resistant and other credentials stronger than shared secrets should be accomplished using methods that are at least as strong as the credential being provisioned. By counter-example, allowing people to retrieve a phishing-resistant credential using only a phishable shared secret negates much of the value provided by the phishing- resistant credential itself. Similarly, sometimes using a phishing- resistant method when a phishable method continues to also sometimes be employed may still enable phishing attacks to compromise the authentication. Jones [Page 5] OpenID Connect EAP ACR Values 1.0 July 2016 4. IANA Considerations 4.1. Level of Assurance Profiles Registration This specification registers the following values in the IANA "Level of Assurance Profiles" registry [IANA.LoA] established by [RFC6711]: 4.1.1. Registry Contents o URI: http://schemas.openid.net/pape/policies/2007/06/phishing-resistant o Name: phr o Informational URI: [[ this specification ]] o Reference: mbj@microsoft.com o Context Class: TBD o URI: http://schemas.openid.net/acr/2016/07/phishing-resistant-hardware o Name: phrh o Informational URI: [[ this specification ]] o Reference: mbj@microsoft.com o Context Class: TBD Jones [Page 6] OpenID Connect EAP ACR Values 1.0 July 2016 5. References 5.1. Normative References [IANA.LoA] IANA, "Level of Assurance Profiles", . [OpenID.Core] Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and C. Mortimore, "OpenID Connect Core 1.0", November 2014, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ RFC2119, March 1997, . [RFC6711] Johansson, L., "An IANA Registry for Level of Assurance (LoA) Profiles", RFC 6711, DOI 10.17487/RFC6711, August 2012, . [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", RFC 6749, DOI 10.17487/RFC6749, October 2012, . 5.2. Informative References [OpenID.PAPE] Recordon, D., Jones, M., Bufu, J., Ed., Daugherty, J., Ed., and N. Sakimura, "OpenID Provider Authentication Policy Extension 1.0", December 2008, . [W3C.WD-webauthn-20160531] Bharadwaj, V., Le Van Gong, H., Balfanz, D., Czeskis, A., Birgisson, A., Hodges, J., B. Jones, M., and R. Lindemann, "Web Authentication: A Web API for accessing scoped credentials", World Wide Web Consortium First Public Working Draft WD-webauthn-20160531, May 2016, . Jones [Page 7] OpenID Connect EAP ACR Values 1.0 July 2016 Appendix A. Acknowledgements The phishing-resistant authentication definition is a result of earlier work done by the OpenID Provider Authentication Policy Extension working group. Jones [Page 8] OpenID Connect EAP ACR Values 1.0 July 2016 Appendix B. Notices Copyright (c) 2016 The OpenID Foundation. The OpenID Foundation (OIDF) grants to any Contributor, developer, implementer, or other interested party a non-exclusive, royalty free, worldwide copyright license to reproduce, prepare derivative works from, distribute, perform and display, this Implementers Draft or Final Specification solely for the purposes of (i) developing specifications, and (ii) implementing Implementers Drafts and Final Specifications based on such documents, provided that attribution be made to the OIDF as the source of the material, but that such attribution does not indicate an endorsement by the OIDF. The technology described in this specification was made available from contributions from various sources, including members of the OpenID Foundation and others. Although the OpenID Foundation has taken steps to help ensure that the technology is available for distribution, it takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this specification or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any independent effort to identify any such rights. The OpenID Foundation and the contributors to this specification make no (and hereby expressly disclaim any) warranties (express, implied, or otherwise), including implied warranties of merchantability, non- infringement, fitness for a particular purpose, or title, related to this specification, and the entire risk as to implementing this specification is assumed by the implementer. The OpenID Intellectual Property Rights policy requires contributors to offer a patent promise not to assert certain patent claims against other contributors and against implementers. The OpenID Foundation invites any interested party to bring to its attention any copyrights, patents, patent applications, or other proprietary rights that may cover technology that may be required to practice this specification. Jones [Page 9] OpenID Connect EAP ACR Values 1.0 July 2016 Appendix C. Open Issues In the IANA registration for the "phr" (phishing-resistant) acr value, should we reuse the URI http://schemas.openid.net/pape/policies/2007/06/phishing-resistant already defined by [OpenID.PAPE] with this meaning, or define a new one that's parallel to http://schemas.openid.net/acr/2016/07/phishing-resistant-hardware? (This may not matter a lot since the short names "phr" and "phrh" are what would be used in practice in OpenID Connect anyway.) Jones [Page 10] OpenID Connect EAP ACR Values 1.0 July 2016 Appendix D. Document History [[ To be removed from the final specification ]] -00 o Created initial version. Jones [Page 11] OpenID Connect EAP ACR Values 1.0 July 2016 Author's Address Michael B. Jones Microsoft Email: mbj@microsoft.com URI: http://self-issued.info/ Jones [Page 12]