Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48EE91B331F for ; Tue, 16 Feb 2016 03:05:21 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rrogKX2yr3yD for ; Tue, 16 Feb 2016 03:05:14 -0800 (PST) Received: from mail-pa0-x231.google.com (mail-pa0-x231.google.com [IPv6:2607:f8b0:400e:c03::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 018411B3323 for ; Tue, 16 Feb 2016 03:05:13 -0800 (PST) Received: by mail-pa0-x231.google.com with SMTP id fy10so62218441pac.1 for ; Tue, 16 Feb 2016 03:05:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode-com.20150623.gappssmtp.com; s=20150623; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=NS+WTcfAno12/hbp8sKgBmEHO1GakBNjM9UzD8SBdMY=; b=AdGHy1RCgyHAzy5+KWwDUmg19XWmsu5OiuI7wiu0T8bT2SqrXPfKb3sX4x0LfgLIgM Rz4DJJNpfnGeZQwgEuq1dCG3T3BjCO7BXjXBABXwJzd0veXNV+Ktd3FesrF23g0Z9woV c1rAN1I/MCw53WknUqVxaJCQ1EOaoNWYoe5qIQVDb30p/BI7xanzS/xQXCWolPQK4Msj VKTud8O9hEHtOJdyl0vSBa0D//Pjo4LtR7ySv17hA9gyJLTqU+Qt0P5+ydXgy9NrPyk5 uqYvEcrQAX2Mr9q4Daio7WyGaea2yFDulYfoKfqZfopxi8xSEG95G3RkuVr2UjWrQ7/K JSig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=NS+WTcfAno12/hbp8sKgBmEHO1GakBNjM9UzD8SBdMY=; b=K24UGvEvuIgh3I+7QA2foNVLlU3i03wslCuMkTltkw9A+1cOmrfKDoUH1qfazCRpyh kg+O1esgLoqTWMwoW9csdOfpbFqIPu0wCjB+5J7uyDVABT+my82EDTI90niAIdNf49xs vC3pOgnRbMGPcM0hEsyoyCeMXMFoN3MtWQezJwmQ8N6pXrt5dOhLVGJYco4SE5EqHI2b cyA+jkuH6yvE6zAISVLITOi7QmiEte6bi/yeo40p72XLnbtIAXwZj/WL7oRncUuzCspz npDw/+hzcwt4/hswdfMpZ8RWRWsXno2R374jJ2elEIMy2Ze/9g5MgDorC7tKdJHHaGHY vBVg== X-Gm-Message-State: AG10YORz5Gl8qvkgoFDUSuFO/HxAznZtciiBi5rkvpJgz+TGX11aHz4VyZBk9yIfCzhzTrkc X-Received: by 10.66.220.104 with SMTP id pv8mr29976527pac.140.1455620713467; Tue, 16 Feb 2016 03:05:13 -0800 (PST) Received: from [10.126.115.111] (mobile-166-176-59-192.mycingular.net. [166.176.59.192]) by smtp.gmail.com with ESMTPSA id t12sm44937750pfa.54.2016.02.16.03.05.08 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 16 Feb 2016 03:05:11 -0800 (PST) Content-Type: multipart/alternative; boundary=Apple-Mail-53AA9D07-0964-4ABB-90D3-EA38F0D6F805 Mime-Version: 1.0 (1.0) From: Jim Manico X-Mailer: iPhone Mail (13D15) In-Reply-To: <138A2A47-E970-428F-8994-BAEB0BEA3894@oracle.com> Date: Tue, 16 Feb 2016 04:05:07 -0700 Content-Transfer-Encoding: 7bit Message-Id: <76769768-47AE-4A28-B922-A516EB8F5DDA@manicode.com> References: <95DA4443-B94B-4A99-ADE4-4C238DDAB1AD@mit.edu> <56C0816B.8070005@lodderstedt.net> <59471C32-2F08-41A1-9744-EC603C6DD97D@manicode.com> <138A2A47-E970-428F-8994-BAEB0BEA3894@oracle.com> To: "Phil Hunt (IDM)" Archived-At: Cc: "" Subject: Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Feb 2016 11:05:21 -0000 --Apple-Mail-53AA9D07-0964-4ABB-90D3-EA38F0D6F805 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Phil, There are four standard session ending controls. 1) Logout 2) Idle session timeout 3) Absolute timeout 4) Forced re-authentication I think these are still important and tend to not get full attention from th= e OAuth/OIDC crowd. :)=20 But the OAuth 2 standard in particular is a framework - not a standard - whi= ch can be implemented many ways, of course. Aloha, -- Jim Manico @Manicode > On Feb 15, 2016, at 5:34 PM, Phil Hunt (IDM) wrote:= >=20 > In older systems, time based logout is all you have if you aren't assessin= g risk.=20 >=20 > I would think over time will quickly diminish in its importance (or as bes= t practice) - at least as the single method for determine a session should e= nd other than explicit logout.=20 >=20 > Phil >=20 >> On Feb 15, 2016, at 16:22, Jim Manico wrote: >>=20 >> Polite comment, Google in general is pretty "open" about session manageme= nt in general - long idle timeout and no apparent absolute timeout. For a ba= nk or other organization that produces high risk software, this is not stand= ard practice. Re-authentication is a critical security boundary, not prompti= ng the user for re-authentication credentials is unacceptable in those envir= onments. >>=20 >> I may be jumping in out of context, but fair? >>=20 >> -- >> Jim Manico >> @Manicode >> +1 (808) 652-3805 >>=20 >>> On Feb 15, 2016, at 3:36 PM, William Denniss wrote= : >>>=20 >>> We return 'amr' claims in ID Tokens if "max_age" is requested (per OpenI= D Connect), e.g.: >>>=20 >>> https://accounts.google.com/o/oauth2/auth?redirect_uri=3Dhttps%3A%2F%2Fd= evelopers.google.com%2Foauthplayground&response_type=3Dcode&client_id=3D4074= 08718192.apps.googleusercontent.com&scope=3Dopenid+profile&approval_prompt=3D= force&access_type=3Doffline&max_age=3D1 >>>=20 >>> The reason we do this is to be explicit about how we are processing the "= max_age" reauth request, specifically that we don't always prompt the user t= o reauthenticate directly (but do perform in-session risk analysis). >>>=20 >>> I can see us potentially using the more generic amr values like "user", a= nd "mfa" but we will probably avoid very specific ones like "sms" or "otp" t= o avoid brittle relationships with RPs. That said, I don't object to those b= eing in the registry, perhaps there is value in some tightly coupled enterpr= ise configurations. >>>=20 >>>=20 >>>> On Sun, Feb 14, 2016 at 5:30 AM, Torsten Lodderstedt wrote: >>>> Hi Denniss, >>>>=20 >>>> out of curiosity: Does Google use amr values?=20 >>>>=20 >>>> best regards, >>>> Torsten. >>>>=20 >>>>=20 >>>>> Am 14.02.2016 um 02:40 schrieb William Denniss: >>>>>=20 >>>>>=20 >>>>> On Sat, Feb 13, 2016 at 12:19 PM, Mike Jones wrote: >>>>>> It's an acceptable fallback option if the working group decides it do= esn't want to register the values that are already in production use at the t= ime we establish the registry. But add William points out, Google is already= using some of these values. Microsoft is using some of them. The OpenID MOD= RNA specs are using some of them. So it seems more efficient to register the= m at the same time. >>>>>>=20 >>>>>> That would be my preference. >>>>>=20 >>>>> +1, it is also my preference to register the current values. >>>>>=20 >>>>> I don't see any harm in the spec that establishes the registry also se= eding it with all known values in use at the time of drafting, regardless of= the group that originally specified them. Makes the original spec more usef= ul, and avoids the need to submit each value for consideration separately =E2= =80=93 they can be all be reviewed at the same time.=20 >>>>>=20 >>>>>=20 >>>>>> From: Justin Richer >>>>>> Sent: =E2=80=8E2/=E2=80=8E13/=E2=80=8E2016 11:11 AM >>>>>> To: Phil Hunt >>>>>>=20 >>>>>> Cc: >>>>>> Subject: Re: [OAUTH-WG] Authentication Method Reference Values: Call f= or Adoption Finalized >>>>>>=20 >>>>>> Can we just do that, then? Seems to be the easiest way to address var= ious needs and concerns.=20 >>>>>>=20 >>>>>> =E2=80=94 Justin >>>>>>=20 >>>>>>> On Feb 13, 2016, at 11:08 AM, Phil Hunt (IDM) = wrote: >>>>>>>=20 >>>>>>> Yes >>>>>>>=20 >>>>>>> Phil >>>>>>>=20 >>>>>>> On Feb 13, 2016, at 07:59, "torsten@lodderstedt.net" wrote: >>>>>>>=20 >>>>>>>> So basically, the RFC could also just establish the new registry an= d oidf could feel in the values? >>>>>>>>=20 >>>>>>>> (just trying to understand) >>>>>>>>=20 >>>>>>>>=20 >>>>>>>>=20 >>>>>>>> -------- Originalnachricht -------- >>>>>>>> Betreff: RE: [OAUTH-WG] Authentication Method Reference Values: Cal= l for Adoption Finalized >>>>>>>> Von: Mike Jones >>>>>>>> An: torsten@lodderstedt.net,John Bradley >>>>>>>> Cc: oauth@ietf.org >>>>>>>>=20 >>>>>>>> The context that most people on this thread probably don=E2=80=99t h= ave is that an IANA registry can only be established by an RFC. Non-RFC spe= cifications, such as OpenID specifications, can *register* values in a regis= try, but they cannot *establish* a registry. The OpenID Foundation inquired= about this with the IETF before OpenID Connect was finalized and learned th= at its specifications could not establish IANA registries. = Otherwise, they would have. >>>>>>>>=20 >>>>>>>> =20 >>>>>>>>=20 >>>>>>>> Instead, RFCs need to be created to establish registries =E2=80=93 e= ven for values first defined in non-RFC specifications. This specification i= s one example of doing this. >>>>>>>>=20 >>>>>>>> =20 >>>>>>>>=20 >>>>>>>> -- Mike >>>>>>>>=20 >>>>>>>> =20 >>>>>>>>=20 >>>>>>>> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of torsten@lo= dderstedt.net >>>>>>>> Sent: Saturday, February 13, 2016 6:37 AM >>>>>>>> To: John Bradley >>>>>>>> Cc: oauth@ietf.org >>>>>>>> Subject: Re: [OAUTH-WG] Authentication Method Reference Values: Cal= l for Adoption Finalized >>>>>>>>=20 >>>>>>>> =20 >>>>>>>>=20 >>>>>>>> We clearly have this problem between oauth and oidc. Just take a lo= ok at the discovery thread. >>>>>>>>=20 >>>>>>>> According to you argument I see two options: >>>>>>>> (1) amr stays an oidc claim, is used in oidc only and the oauth wg j= ust publishes the registry entries. In this case, the spec should clearly ex= plain this. >>>>>>>> (2) amr is of any use in oauth (although it has been invented in oi= dc) - than define it and motivate it's use in oauth in this spec. >>>>>>>>=20 >>>>>>>> Right now, I think it creates the impression oauth is for authentic= ation. >>>>>>>>=20 >>>>>>>>=20 >>>>>>>>=20 >>>>>>>> -------- Originalnachricht -------- >>>>>>>> Betreff: Re: [OAUTH-WG] Authentication Method Reference Values: Cal= l for Adoption Finalized >>>>>>>> Von: John Bradley >>>>>>>> An: torsten@lodderstedt.net >>>>>>>> Cc: roland.hedberg@umu.se,oauth@ietf.org >>>>>>>>=20 >>>>>>>> This is not a issue between oauth and OIDC. >>>>>>>>=20 >>>>>>>> =20 >>>>>>>>=20 >>>>>>>> This has to do with the registry for JWT being in OAuth. Many pro= tocols that use JWT are going to want to register claims. =20 >>>>>>>>=20 >>>>>>>> We can=E2=80=99t ask them to all move the parts of there specs that= use JWT to OAuth. >>>>>>>>=20 >>>>>>>> =20 >>>>>>>>=20 >>>>>>>> Perhaps JWT should have been part of JOSE, but that is water under t= he bridge. =20 >>>>>>>>=20 >>>>>>>> =20 >>>>>>>>=20 >>>>>>>> The OAuth WG is responsible for JWT and it=E2=80=99s registry, and w= e will need to deal with registering claims. =20 >>>>>>>>=20 >>>>>>>> =20 >>>>>>>>=20 >>>>>>>> I guess that we can tell people that they need to publish the specs= defining the claims someplace else, and just do the registry part. >>>>>>>>=20 >>>>>>>> However doing that will probably not improve interoperability and u= nderstanding. >>>>>>>>=20 >>>>>>>> =20 >>>>>>>>=20 >>>>>>>> This document defines the claim for JWT in general. We still have a= lmost no documentation in the WG about what a JWT access token would contain= other than the POP work. >>>>>>>>=20 >>>>>>>> =20 >>>>>>>>=20 >>>>>>>> John B. >>>>>>>>=20 >>>>>>>> On Feb 13, 2016, at 9:18 AM, torsten@lodderstedt.net wrote: >>>>>>>>=20 >>>>>>>> =20 >>>>>>>>=20 >>>>>>>> I basically support adoption of this document. Asserting authentica= tion methods in access tokens (in this case in JWTS format) is reasonable. W= e use it to pass information about the authentication performed prior issuin= g an access token to the _resource_ server. >>>>>>>>=20 >>>>>>>> What worries me is the back and forth between oauth and oidc. The a= mr claim is defined in oidc (which sits on top of oauth) but the oauth wg sp= ecifies the registry? Moreover, the current text does not give a rationale f= or using amr in context of oauth. >>>>>>>>=20 >>>>>>>> As a WG we need to find a clear delineation between both protocols,= otherwise noone will really understand the difference and when to use what.= We create confusion! >>>>>>>>=20 >>>>>>>> For this particular draft this means to either move amr to oauth or= the registry to oidc. >>>>>>>>=20 >>>>>>>> best regards,=20 >>>>>>>> Torsten. >>>>>>>>=20 >>>>>>>>=20 >>>>>>>>=20 >>>>>>>> -------- Urspr=C3=BCngliche Nachricht -------- >>>>>>>> Von: Roland Hedberg >>>>>>>> Gesendet: Friday, February 12, 2016 05:45 PM >>>>>>>> An: oauth@ietf.org >>>>>>>> Betreff: Re: [OAUTH-WG] Authentication Method Reference Values: Cal= l for Adoption Finalized >>>>>>>>=20 >>>>>>>> +1 >>>>>>>>=20 >>>>>>>> > 12 feb 2016 kl. 16:58 skrev John Bradley : >>>>>>>> >=20 >>>>>>>> > +1 to adopt this draft. >>>>>>>> >=20 >>>>>>>> >> On Feb 12, 2016, at 3:07 AM, Mike Jones wrote: >>>>>>>> >>=20 >>>>>>>> >> Draft -05 incorporates the feedback described below - deleting t= he request parameter, noting that this spec isn't an encouragement to use OA= uth 2.0 for authentication without employing appropriate extensions, and no l= onger requiring a specification for IANA registration. I believe that it=E2= =80=99s now ready for working group adoption. >>>>>>>> >>=20 >>>>>>>> >> -- Mik= e >>>>>>>> >>=20 >>>>>>>> >> -----Original Message----- >>>>>>>> >> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes T= schofenig >>>>>>>> >> Sent: Thursday, February 4, 2016 11:23 AM >>>>>>>> >> To: oauth@ietf.org >>>>>>>> >> Subject: [OAUTH-WG] Authentication Method Reference Values: Call= for Adoption Finalized >>>>>>>> >>=20 >>>>>>>> >> Hi all, >>>>>>>> >>=20 >>>>>>>> >> On January 19th I posted a call for adoption of the Authenticati= on Method Reference Values s= pecification, see http://www.ietf.org/mail-archive/web/oauth/current/msg1540= 2.html >>>>>>>> >>=20 >>>>>>>> >> What surprised us is that this work is conceptually very simple:= we define new claims and create a registry with new values. Not a big deal b= ut that's not what the feedback from the Yokohama IETF meeting and the subse= quent call for adoption on the list shows. The feedback lead to mixed feelin= gs and it is a bit difficult for Derek and myself to judge consensus. >>>>>>>> >>=20 >>>>>>>> >> Let me tell you what we see from the comments on the list. >>>>>>>> >>=20 >>>>>>>> >> In his review at >>>>>>>> >> http://www.ietf.org/mail-archive/web/oauth/current/msg15423.html= James Manger asks for significant changes. Among other things, he wants to r= emove one of the claims. He provides a detailed review and actionable items.= >>>>>>>> >>=20 >>>>>>>> >> William Denniss believes the document is ready for adoption but a= grees with some of the comments from James. Here is his review: >>>>>>>> >> http://www.ietf.org/mail-archive/web/oauth/current/msg15426.html= >>>>>>>> >>=20 >>>>>>>> >> Justin is certainly the reviewer with the strongest opinion. Her= e is one of his posts: >>>>>>>> >> http://www.ietf.org/mail-archive/web/oauth/current/msg15457.html= >>>>>>>> >>=20 >>>>>>>> >> Among all concerns Justin expressed the following one is actuall= y actionable IMHO: Justin is= worried that reporting how a= person authenticated to an authorization endpoint and encouraging people to= use OAuth for authentication is a fine line. He believes that this document= leads readers to believe the latter. >>>>>>>> >>=20 >>>>>>>> >> John agrees with Justin in >>>>>>>> >> http://www.ietf.org/mail-archive/web/oauth/current/msg15448.html= that we need to make sure that people are not mislead about the intention o= f the document. John also provides additional comments in this post to the >>>>>>>> >> list: http://www.ietf.org/mail-archive/web/oauth/current/msg1544= 1.html >>>>>>>> >> Most of them require more than just editing work. For example, m= ethods listed are really not useful, >>>>>>>> >>=20 >>>>>>>> >> Phil agrees with the document adoption but has some remarks abou= t the registry although he does not propose specific text. His review is her= e: >>>>>>>> >> http://www.ietf.org/mail-archive/web/oauth/current/msg15462.html= >>>>>>>> >>=20 >>>>>>>> >> With my co-chair hat on: I just wanted to clarify that registeri= ng claims (and values within those claims) is within the scope of the OAuth w= orking group. We standardized the JWT in this group and we are also chartere= d to standardize claims, as we are currently doing with various drafts. Not s= tandardizing JWT in the IETF would have lead to reduced interoperability and= less security. I have no doubts that was a wrong decision. >>>>>>>> >>=20 >>>>>>>> >> In its current form, there is not enough support to have this do= cument as a WG item. >>>>>>>> >>=20 >>>>>>>> >> We believe that the document authors should address some of the e= asier comments and submit a new version. This would allow us to reach out to= those who had expressed concerns about the scope of the document to re-eval= uate their decision. A new draft version should at = least address the following issues: >>>>>>>> >>=20 >>>>>>>> >> * Clarify that this document is not an encouragement for using O= Auth as an authentication protocol. I believe that this would address some o= f the concerns raised by Justin and John. >>>>>>>> >>=20 >>>>>>>> >> * Change the registry policy, which = would address one of the comments from James, William, a= nd Phil. >>>>>>>> >>=20 >>>>>>>> >> Various other items require discussion since they are more diffi= cult to address. For example, John noted that he does not like the use of re= quest parameters. Unfortunately, no alternative is offered. I urge John to p= rovide an alternative proposal, if there is one. Also, the remark that the v= alues are meaningless could be countered with an alternative proposal. James= wanted to remove the "amr_values" parameter. >>>>>>>> >> Is this what others want as well? >>>>>>>> >>=20 >>>>>>>> >> After these items have been addressed we believe that more folks= in the group will support the document. >>>>>>>> >>=20 >>>>>>>> >> Ciao >>>>>>>> >> Hannes & Derek >>>>>>>> >>=20 >>>>>>>> >>=20 >>>>>>>> >>=20 >>>>>>>> >> _______________________________________________ >>>>>>>> >> OAuth mailing list >>>>>>>> >> OAuth@ietf.org >>>>>>>> >> https://www.ietf.org/mailman/listinfo/oauth >>>>>>>> >=20 >>>>>>>> > _______________________________________________ >>>>>>>> > OAuth mailing list >>>>>>>> > OAuth@ietf.org >>>>>>>> > https://www.ietf.org/mailman/listinfo/oauth >>>>>>>>=20 >>>>>>>> =E2=80=94 Roland >>>>>>>>=20 >>>>>>>> =E2=80=9DEverybody should be quiet near a little stream and listen.= " >>>>>>>> >=46rom =E2=80=99Open House for Butterflies=E2=80=99 by Ruth Krauss= >>>>>>>>=20 >>>>>>>>=20 >>>>>>>> _______________________________________________ >>>>>>>> OAuth mailing list >>>>>>>> OAuth@ietf.org >>>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>>>=20 >>>>>>>> _______________________________________________ >>>>>>>> OAuth mailing list >>>>>>>> OAuth@ietf.org >>>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>>>=20 >>>>>>>> _______________________________________________ >>>>>>>> OAuth mailing list >>>>>>>> OAuth@ietf.org >>>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>> _______________________________________________ >>>>>>> OAuth mailing list >>>>>>> OAuth@ietf.org >>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>=20 >>>>>>=20 >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>=20 >>>>>=20 >>>>>=20 >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>=20 >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail-53AA9D07-0964-4ABB-90D3-EA38F0D6F805 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
Phil,

There are four standard session= ending controls.

1) Logout
2) Idle ses= sion timeout
3) Absolute timeout
4) Forced re-authentication

I think thes= e are still important and tend to not get full attention from the OAuth/OIDC= crowd. :) 

But the OAuth 2 standard in particular is a framework - no= t a standard - which can be implemented many ways, of course.

Aloha,
--
Jim Manico
@Manicode

On Feb 15, 2= 016, at 5:34 PM, Phil Hunt (IDM) <phil.hunt@oracle.com> wrote:

=
In older systems, time based logout is all you have if you aren't ass= essing risk. 

I would think over time will quickly diminish in its imp= ortance (or as best practice) - at least as the single method for determine a= session should end other than explicit logout. 

Phil

On Feb 15, 2016, at 16:22, Jim Manico &= lt;jim@manicode.com> wrote:
Polite comment, Google in general i= s pretty "open" about session management in general - long idle timeout and n= o apparent absolute timeout. For a bank or other organization that produces h= igh risk software, this is not standard practice. Re-authentication is a cri= tical security boundary, not prompting the user for re-authentication creden= tials is unacceptable in those environments.

I may be jumping in out of con= text, but fair?

--
Jim Manico
@Manicode
+1 (808) 652-3805

On Feb 15, 2016, at 3:36 PM, Wil= liam Denniss <wdenniss@google.com<= /a>> wrote:

=
We return 'amr' claims in ID Tokens if "max_age" is requested (per Open= ID Connect), e.g.:

https://accounts.googl= e.com/o/oauth2/auth?redirect_uri=3Dhttps%3A%2F%2Fdevelopers.google.com%2Foau= thplayground&response_type=3Dcode&client_id=3D407408718192.apps.goog= leusercontent.com&scope=3Dopenid+profile&approval_prompt=3Dforce&= ;access_type=3Doffline&max_age=3D1

The reason= we do this is to be explicit about how we are processing the "max_age" reau= th request, specifically that we don't always prompt the user to reauthentic= ate directly (but do perform in-session risk analysis).

=
I can see us potentially using the more generic amr values like "user",= and "mfa" but we will probably avoid very specific ones like "sms" or "otp"= to avoid brittle relationships with RPs. That said, I don't object to those= being in the registry, perhaps there is value in some tightly coupled enter= prise configurations.


On Sun, Feb 14, 2016 at 5:30 AM, Torsten Lodderstedt= <torsten@lodderstedt.net> wrote:
=20 =20 =20
Hi Denniss,

out of curiosity: Does Google use amr values?

best regards,
Torsten.


Am 14.02.2016 um 02:40 schrieb William Denniss:


On Sat, Feb 13, 2016 at 12:19 PM, Mike Jones <Michael.Jones@microsoft.com>= wrote:
It's an acceptable fallback option if the working group decides it doesn't want to register the values that are already in production use at the time we establish the registry. But add William points out, Google is already using some of these values. Microsoft is using some of them. The OpenID MODRNA specs are using some of them. So it seems more efficient to register them at the same time.

That would be my preference.

+1, it is also my preference to register the current values.

I don't see any harm in the spec that establishes the registry also seeding it with all known values in use at the time of drafting, regardless of the group that originally specified them. Makes the original spec more useful, and avoids the need to submit each value for consideration separately =E2=80=93 they can be all be reviewed= at the same time. 


From: Justin Richer
Sent: =E2=80=8E2/=E2=80=8E13/=E2=80=8E2016 11:11 AM
To: Phil Hunt

Cc: <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

Can we just do that, then? Seems to be the easiest way to address various needs and concerns. 

 =E2=80=94 Justin

On Feb 13, 2016, at 11:08 AM, Phil Hunt (IDM) <phil.hunt@oracle.com> wrote:

Yes

Phil

On Feb 13, 2016, at 07:59, "torsten@lodderstedt.net" <torsten@lodderstedt.net> wrote:

So basically, the RFC could also just establish the new registry and oidf could feel in the values?

(just trying to understand)



-------- Originalnachricht --------
Betreff: RE: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized
Von: Mike Jones <Michael.Jones@microsoft.com> An: torsten@lodderstedt.net,John Bradley <ve7jtb@ve7jtb.com>
Cc: oauth@ietf.org

T= he context that most people on this thread probably don=E2=80=99t= have is that an IANA registry can only be established by an RFC.  Non-RFC specifications,= such as OpenID specifications, can *register* values in a registry, but they cannot *establish* a registry.  The OpenID Foundation inquired about this with the IETF before OpenID Connect was finalized and learned that its specifications could not establish IANA registries.  Otherwise, they would have.=

&= nbsp;

I= nstead, RFCs need to be created to establish registries =E2=80=93 eve= n for values first defined in non-RFC specifications.  This= specification is one example of doing this.

&= nbsp;

&= nbsp;            = ;            &nb= sp;            &= nbsp;            = ;       -- Mike

 

From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of torsten@lodderstedt.net
Sent: Saturday, February 13, 2016 6:37 AM
To: John Bradley <ve7jtb@ve7jtb.com>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

 

We clearly have this problem between oauth and oidc. Just take a look at the discovery thread.

According to you argument I see two options:
(1) amr stays an oidc claim, is used in oidc only and the oauth wg just publishes the registry entries. In this case, the spec should clearly explain this.
(2) amr is of any use in oauth (although it has been invented in oidc) - than define it and motivate it's use in oauth in this spec.

Right now, I think it creates the impression oauth is for authentication.



-------- Originalnachricht --------
Betreff: Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized
Von: John Bradley <ve7jtb@ve7jtb.com>
An: torsten@lodderstedt.net
Cc: roland.hedberg@umu.se,oauth@ietf.o= rg

This is not a issue between oauth and OIDC.

 

This has to do with the registry for JWT being in OAuth.   Many protocols that use JWT are going to want to register claims.  

We can=E2=80=99= t ask them to all move the parts of there specs that use JWT to OAuth.

 

Perhaps JWT should have been part of JOSE, but that is water under the bridge.  

 

The OAuth WG is responsible for JWT and it=E2=80=99s registry, and we will= need to deal with registering claims.  

 

I guess that we can tell people that they need to publish the specs defining the claims someplace else, and just do the registry part.

However doing that will probably not improve interoperability and understanding.

 

This document defines the claim for JWT in general.  We still hav= e almost no documentation in the WG about what a JWT access token would contain other than the POP work.

 

John B.

On Feb 13, 2016, at 9:18 AM, torsten@lod= derstedt.net wrote:

 

I basically support adoption of this document. Asserting authentication methods in access tokens (in this case in JWTS format) is reasonable. We use it to pass information about the authentication performed prior issuing an access token to the _resource_ server.

What worries me is the back and forth between oauth and oidc. The amr claim is defined in oidc (which sits on top of oauth) but the oauth wg specifies the registry? Moreover, the current text does not give a rationale for using amr in context of oauth.

As a WG we need to find a clear delineation between both protocols, otherwise noone will really understand the difference and when to use what. We create confusion!

For this particular draft this means to either move amr to oauth or the registry to oidc.

best regards,
Torsten.



-------- Urspr=C3=BCngliche Nachricht --------
Von: Roland Hedberg <roland.hedberg@umu.se>
Gesendet: Friday, February 12, 2016 05:45 PM
An: oauth@ietf.org
Betreff: Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

+1

> 12 feb 2016 kl. 16:58 skrev John Bradley <ve7jtb@ve7jtb.com>:
>
> +1 to adopt this draft.
>
>> On Feb 12, 2016, at 3:07 AM, Mike Jones <Michael.Jones@microsoft.com> wrote:
>>
>> Draft -05 incorporates the feedback described below - deleting the request parameter, noting that this spec isn't an encouragement to use OAuth 2.0 for authentication without employing appropriate extensions, and no longer requiring a specification for IANA registration.  I believ= e that it=E2=80=99s now ready f= or working group adoption.
>>
>>   &n= bsp;            =             &nbs= p;            &n= bsp;            =      -- Mike
>>
>> -----Original Message-----
>> From: OAuth [mailto:oauth-bounces@ietf.org]= On Behalf Of Hannes Tschofenig
>> Sent: Thursday, February 4, 2016 11:23 AM
>> To: oauth@ietf.org
>> Subject: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized
>>
>> Hi all,
>>
>> On January 19th I posted a call for adoption of the Authentication Method Reference Values specification, see http://www.ietf.org/mail-archive/web/oauth/current/ms= g15402.html
>>
>> What surprised us is that this work is conceptually very simple: we define new claims and create a registry with new values. Not a big deal but that's not what the feedback from the Yokohama IETF meeting and the subsequent call for adoption on the list shows. The feedback lead to mixed feelings and it is a bit difficult for Derek and myself to judge consensus.
>>
>> Let me tell you what we see from the comments on the list.
>>
>> In his review at
>> = http://www.ietf.org/mail-archive/web/oauth/current/ms= g15423.html James Manger asks for significant changes. Among other things, he wants to remove one of the claims. He provides a detailed review and actionable items.
>>
>> William Denniss believes the document is ready for adoption but agrees with some of the comments from James. Here is his review:
>> = http://www.ietf.org/mail-archive/web/oauth/current/ms= g15426.html
>>
>> Justin is certainly the reviewer with the strongest opinion. Here is one of his posts:
>> = http://www.ietf.org/mail-archive/web/oauth/current/ms= g15457.html
>>
>> Among all concerns Justin expressed the following one is actually actionable IMHO: Justin is worried that reporting how a person authenticated to an authorization endpoint and encouraging people to use OAuth for authentication is a fine line. He believes that this document leads readers to believe the latter.
>>
>> John agrees with Justin in
>> = http://www.ietf.org/mail-archive/web/oauth/current/ms= g15448.html that we need to make sure that people are not mislead about the intention of the document. John also provides additional comments in this post to the
>> list: http://www.ietf.org/mail-archive/web/oauth/current/ms= g15441.html
>> Most of them require more than just editing work. For example, methods listed are really not useful,
>>
>> Phil agrees with the document adoption but has some remarks about the registry although he does not propose specific text. His review is here:
>> = http://www.ietf.org/mail-archive/web/oauth/current/ms= g15462.html
>>
>> With my co-chair hat on: I just wanted to clarify that registering claims (and values within those claims) is within the scope of the OAuth working group. We standardized the JWT in this group and we are also chartered to standardize claims, as we are currently doing with various drafts. Not standardizing JWT in the IETF would have lead to reduced interoperability and less security. I have no doubts that was a wrong decision.
>>
>> In its current form, there is not enough support to have this document as a WG item.
>>
>> We believe that the document authors should address some of the easier comments and submit a new version. This would allow us to reach out to those who had expressed concerns about the scope of the document to re-evaluate their decision. A new draft version should at least address the following issues:
>>
>> * Clarify that this document is not an encouragement for using OAuth as an authentication protocol. I believe that this would address some of the concerns raised by Justin and John.
>>
>> * Change the registry policy, which would address one of the comments from James, William, and Phil.
>>
>> Various other items require discussion since they are more difficult to address. For example, John noted that he does not like the use of request parameters. Unfortunately, no alternative is offered. I urge John to provide an alternative proposal, if there is one. Also, the remark that the values are meaningless could be countered with an alternative proposal. James wanted to remove the "amr_values" parameter.
>> Is this what others want as well?
>>
>> After these items have been addressed we believe that more folks in the group will support the document.
>>
>> Ciao
>> Hannes & Derek
>>
>>
>>
>> ____________________________= ___________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.or= g/mailman/listinfo/oauth
>
> ____________________________= ___________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/ma= ilman/listinfo/oauth

=E2=80=94 Roland

=E2=80=9DEverybody should be= quiet near a little stream and listen."
>=46rom =E2=80=99Open Hou= se for Butterflies=E2=80=99 by Ruth= Krauss


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman= /listinfo/oauth

_______= ________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman= /listinfo/oauth

 

_______________________________= ________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinf= o/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth<= br>


_______________________________________________
OAuth mailing list
OAuth@ietf= .org
https://www.ietf.org/mailman/listinfo/oauth




_______________________________________________
OAuth mailing list
OAuth@ietf.org
ht=
tps://www.ietf.org/mailman/listinfo/oauth


____________________= ___________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mai= lman/listinfo/oauth
___________________________________________= ____
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth=
= --Apple-Mail-53AA9D07-0964-4ABB-90D3-EA38F0D6F805--