[OAUTH-WG] Publishing authentication level as first amr value

Mike Schwartz <mike@gluu.org> Fri, 11 November 2016 20:05 UTC

Return-Path: <mike@gluu.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 897DE129571 for <oauth@ietfa.amsl.com>; Fri, 11 Nov 2016 12:05:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.887
X-Spam-Status: No, score=-1.887 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, RP_MATCHES_RCVD=-1.497, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=gluu.org
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id mMgm5zmAhkcn for <oauth@ietfa.amsl.com>; Fri, 11 Nov 2016 12:05:34 -0800 (PST)
Received: from webmail.gluu.org (webmail.gluu.org []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 504B5129CA0 for <oauth@ietf.org>; Fri, 11 Nov 2016 12:05:34 -0800 (PST)
Received: from localhost (localhost []) by webmail.gluu.org (Postfix) with ESMTP id D8677B41CA for <oauth@ietf.org>; Fri, 11 Nov 2016 20:05:33 +0000 (UTC)
Authentication-Results: webmail.gluu.org (amavisd-new); dkim=pass reason="pass (just generated, assumed good)" header.d=gluu.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gluu.org; h= user-agent:message-id:references:in-reply-to:organization :subject:subject:to:from:from:date:date :content-transfer-encoding:content-type:content-type :mime-version; s=dkim; t=1478894733; x=1479758734; bh=NVJOEt8YLW nyFHGAFwSmmGqbKJH/S8fShvO3fKq72Us=; b=aCbUr7pxp6iRnuE20gL8JJ66gC ZAaRfuMuydIfjSKqe3JAHzX7NWdYQKkX1uj1WtEuQ4bfGWOXog/8y4EIj2cRc6aZ b8xy6UW0sdoSD7UDQS0M982zEqjzo2/Qj8+ISyKuMg1epw5/ww1aFBraFyG/OR2X N3PcdLKCB88eKa+KM=
Received: from webmail.gluu.org ([]) by localhost (webmail.gluu.org []) (amavisd-new, port 10024) with ESMTP id 0KjDfoxLaIdC for <oauth@ietf.org>; Fri, 11 Nov 2016 15:05:33 -0500 (EST)
Received: from webmail.gluu.org (localhost []) by webmail.gluu.org (Postfix) with ESMTPSA id A4F2AB410E for <oauth@ietf.org>; Fri, 11 Nov 2016 15:05:33 -0500 (EST)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Content-Transfer-Encoding: 7bit
Date: Fri, 11 Nov 2016 14:05:33 -0600
From: Mike Schwartz <mike@gluu.org>
To: oauth@ietf.org
Organization: Gluu
In-Reply-To: <mailman.5655.1438279987.3631.oauth@ietf.org>
References: <mailman.5655.1438279987.3631.oauth@ietf.org>
Message-ID: <cc9f8caed5268c05d2fd9af7d62e847e@gluu.org>
X-Sender: mike@gluu.org
User-Agent: Roundcube Webmail
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/OKmiPFmXFnbnikObjOqbxeY8FHE>
Subject: [OAUTH-WG] Publishing authentication level as first amr value
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Nov 2016 20:05:36 -0000

Gluu is working on a free open source app called Cred Mgr:

As the name suggests, this app is a user-facing application that let's 
the person reset existing credentials and register new credentials. To 
avoid degrading the security of credentials, we want to make sure that a 
person can only reset a credential if they present one with equal or 
greater stength, or "level"

Cred-mgr knows the level, because we are returning it as the first value 
in the amr array in the id_token. We are also publishing a mapping of 
amr values to acr values in the OP discovery page. For example:

  "auth_level_mapping": {
         "50": ["http://example.com/saml"],
         "10": ["http://example.com/u2f", "http://example.com/duo"],
         "1": ["http://example.com/pw"]

If we could agree on this appraoch, then it could be interoperable 
across domains. I don't see any other solutions being proposed, so no 
one can figure out how to properly handle multi-factor credential reset 
in a standard way.

- Mike

Michael Schwartz
Founder / CEO