Re: [OAUTH-WG] Call for Adoption: Authentication Method Reference Values

Mike Jones <> Wed, 20 January 2016 21:29 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 805311ACF59 for <>; Wed, 20 Jan 2016 13:29:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cgfoNKmkDsP4 for <>; Wed, 20 Jan 2016 13:29:22 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1D67E1ACF1C for <>; Wed, 20 Jan 2016 13:29:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=1JVnEjbysAMh6YccY116h5UCaZzyj1xs+6C7csFXLm8=; b=nK3Ku3vZdkCCr3MNJLoxdSGdGekoJdn1zsC4TrTNNnBmgcf91cLatFfSoUg9otfVZQxL507/fmZnwxEXgnmYkMJFC81PW2wTpRokAuRipUV0ytvnP+8nm1XjXf/03TJVx7wfBekNmpwhtFCrtKnXnVQa/Xo/11BMzkD5I/Wqhro=
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.1.365.19; Wed, 20 Jan 2016 21:29:19 +0000
Received: from ([]) by ([]) with mapi id 15.01.0365.024; Wed, 20 Jan 2016 21:29:19 +0000
From: Mike Jones <>
To: John Bradley <>, Justin Richer <>
Thread-Topic: [OAUTH-WG] Call for Adoption: Authentication Method Reference Values
Thread-Index: AQHRUq9MSU/VGOfqxU64HImRUaDLo58E30uAgAABywCAAAn9MA==
Date: Wed, 20 Jan 2016 21:29:18 +0000
Message-ID: <>
References: <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-office365-filtering-correlation-id: 310f5bf2-96ef-4b44-6302-08d321e0c196
x-microsoft-exchange-diagnostics: 1; BY2PR03MB442; 5:3TcS0iEGC0Qxq9ZiO2ILuj+C60FEx8m19jSK88DIyJxMCtQHHdGl2x0SFwynng2iUxQr2rnIWAEnWXG+AJmnwrIWIgtDoCn62NxvGz/5icpZ6RAPoxM6nzZiKjF0TsTmrBezW7mUUZL9a2Cs6Nhfzg==; 24:K8gLjjLqvHAwWFUZGxyNW24xJb1SYsGda2sUk/2/wj5s+tkNbA9BJjI1XyJxTue2qDAZfAAvVwqnUOxmbE3P+5BhHLp0haMgCXuT3CJA4bA=
x-exchange-antispam-report-test: UriScan:; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB442; UriScan:;
x-o365eop-header: O365_EOP: Allow for Unauthenticated Relay
x-o365ent-eop-header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(8121501046)(520078)(5005006)(10201501046)(3002001)(61426038)(61427038); SRVR:BY2PR03MB442; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB442;
x-forefront-prvs: 0827D7ACB9
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(199003)(53754006)(377454003)(24454002)(13464003)(189002)(50986999)(189998001)(33656002)(122556002)(2900100001)(19580405001)(4326007)(54356999)(19580395003)(74316001)(101416001)(2171001)(11100500001)(3846002)(76176999)(77096005)(5003600100002)(40100003)(6116002)(586003)(102836003)(1220700001)(2906002)(5002640100001)(5004730100002)(15975445007)(5008740100001)(5005710100001)(87936001)(86612001)(2950100001)(1096002)(5001960100002)(8990500004)(99286002)(86362001)(66066001)(10290500002)(105586002)(5001770100001)(106356001)(106116001)(10090500001)(76576001)(10400500002)(97736004)(81156007)(92566002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB442;; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Jan 2016 21:29:18.7527 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB442
Archived-At: <>
Cc: "<>" <>
Subject: Re: [OAUTH-WG] Call for Adoption: Authentication Method Reference Values
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 20 Jan 2016 21:29:26 -0000

The primary purpose of the specification is to establish a registry for "amr" JWT claim values.  This is important, as it increases interoperability among implementations using this claim.

It's a fair question whether "requested_amr" should be kept or dropped.  I agree with John and James that it's bad architecture.  I put it in the -00 individual draft to document existing practice.  I suspect that should the draft is adopted by the working group as a starting point, one of the first things the working group will want to decide is whether to drop it.  I suspect that I know how this will come out and I won't be sad, architecturally, to see it go.

As to whether this belongs in the OAuth working group, long ago it was decided that JWT and JWT claim definitions were within scope of the OAuth working group.  That ship has long ago sailed, both in terms of RFC 7519 and it continues to sail, for instance, in draft-ietf-oauth-proof-of-possession, which defines a new JWT claim, and is in the RFC Editor Queue.  Defining a registry for values of the "amr" claim, which is registered in the OAuth-established registry at, is squarely within the OAuth WG's mission for the creation and stewardship of JWT.

				-- Mike

-----Original Message-----
From: OAuth [] On Behalf Of John Bradley
Sent: Wednesday, January 20, 2016 12:44 PM
To: Justin Richer <>
Cc: <> <>
Subject: Re: [OAUTH-WG] Call for Adoption: Authentication Method Reference Values

I see your point that it is a fine line reporting how a person authenticated to a Authorization endpoit (it might be by SAML etc) and encouraging people to use OAuth for Authentication.

We already have the amr response in connect.  The only thing really missing is a registry.  Unless this is a sneaky way to get requested_amr into Connect?

John B.
> On Jan 20, 2016, at 5:37 PM, Justin Richer <> wrote:
> Just reiterating my stance that this document detailing user authentication methods has no place in the OAuth working group.
> — Justin
>> On Jan 19, 2016, at 6:48 AM, Hannes Tschofenig <> wrote:
>> Hi all,
>> this is the call for adoption of Authentication Method Reference 
>> Values, see
>> Please let us know by Feb 2nd whether you accept / object to the 
>> adoption of this document as a starting point for work in the OAuth 
>> working group.
>> Note: The feedback during the Yokohama meeting was inconclusive, 
>> namely
>> 9 for / zero against / 6 persons need more information.
>> You feedback will therefore be important to find out whether we 
>> should do this work in the OAuth working group.
>> Ciao
>> Hannes & Derek
>> _______________________________________________
>> OAuth mailing list
> _______________________________________________
> OAuth mailing list