Re: [OAUTH-WG] Call for Adoption: Authentication Method Reference Values

Justin Richer <> Wed, 20 January 2016 23:01 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 03CDB1B2A57 for <>; Wed, 20 Jan 2016 15:01:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id IbERMaHjH6Q1 for <>; Wed, 20 Jan 2016 15:01:04 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4BA831B2A30 for <>; Wed, 20 Jan 2016 15:01:04 -0800 (PST)
X-AuditID: 1209190e-f79046d0000036c0-3a-56a011ae740a
Received: from ( []) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 57.96.14016.EA110A65; Wed, 20 Jan 2016 18:01:02 -0500 (EST)
Received: from ( []) by (8.13.8/8.9.2) with ESMTP id u0KN11og015915; Wed, 20 Jan 2016 18:01:02 -0500
Received: from [] ( []) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by (8.13.8/8.12.4) with ESMTP id u0KN0x8S007241 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 20 Jan 2016 18:01:01 -0500
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
Content-Type: multipart/signed; boundary="Apple-Mail=_4EECEA1D-0541-40F6-8E83-AA582E27BE98"; protocol="application/pgp-signature"; micalg="pgp-sha256"
X-Pgp-Agent: GPGMail 2.5.2
From: Justin Richer <>
In-Reply-To: <>
Date: Wed, 20 Jan 2016 18:00:59 -0500
Message-Id: <>
References: <> <> <> <> <>
To: John Bradley <>
X-Mailer: Apple Mail (2.2104)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrFKsWRmVeSWpSXmKPExsUixG6nrrtOcEGYwbY2HYu90z6xWJx8+4rN YvXdv2wOzB5Llvxk8mjd8Zfd4/btjSwBzFFcNimpOZllqUX6dglcGROWXWYt2KdZ0dSxjr2B ca9SFyMnh4SAicT5F3PYIGwxiQv31gPZXBxCAouZJKZ8nQflbGSU+PD5DJRzm0ni48vfTCAt wgKBEq9mr2QHsXkF9CRe3brMClLELDCFUaLlzBeWLkYOoLlSEjP2C4DUsAmoSkxf0wLWyylg J7F2wTJGkBIWoPj6iVIgYWaBKInu3T/ZQcK8AlYSM95UgISFBDqYJN71WIPYIgIqEvv2PWKE OFpWYvfvR0wTGAVnITliFrIjZoGN1ZZYtvA1M4StKbG/ezlUXF5i+9s5UHFLicUzb0DFbSVu 9S1ggrDtJB5NW8S6gJFjFaNsSm6Vbm5iZk5xarJucXJiXl5qka6xXm5miV5qSukmRlA0cUry 7WD8elDpEKMAB6MSD++Na/PDhFgTy4orcw8xSnIwKYnyfuFZECbEl5SfUpmRWJwRX1Sak1p8 iFEFaNejDasvMEqx5OXnpSqJ8Oo9AmrlTUmsrEotyocpk+ZgURLn3dUxN0xIID2xJDU7NbUg tQgmK8PBoSTBKy8AtECwKDU9tSItM6cEIc3EwXmIUYKDB2i4DkgNb3FBYm5xZjpE/hSjopQ4 70d+oIQASCKjNA+uF5QEE94eNn3FKA70ljBEOw8wgcJ1vwIazAQ0eK8ZyNXFJYkIKakGximu R/9P4PHfVRBhczxa9I/Hiy5pycnHu0SObdzbfNxkw7bj9nun872b9HxTleq8K50nvPWMg8SP Z9muKTrzbPm+/S/z2gL/9uZMXfLO7+s8g+P7fyifcX8nHb1yZqaRwOmzM3yWT2VoUuFfcXOH UvWr1kO5X56dunTjjqXwzw1mT/tkYwMPHxZXYinOSDTUYi4qTgQAJD1ll10DAAA=
Archived-At: <>
Cc: "<>" <>
Subject: Re: [OAUTH-WG] Call for Adoption: Authentication Method Reference Values
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 20 Jan 2016 23:01:07 -0000

As it’s currently written it’s not really limited to defining JWT claims, and so I’m with John that if that’s what this turns into and stays that way then it’s fine. I’m very afraid of scope creep and this being used for something it shouldn’t be.

And, as Mike well knows, I did not support the decision to bring JWT to this group, nor do I think we should be necessarily bound by the mistakes of the past when making future decisions of what to work on. :)

 — Justin

> On Jan 20, 2016, at 5:07 PM, John Bradley <> wrote:
> So if this is scoped to be a registry for the values of a JWT claim then it is fine.
> We should discourage people from thinking that it is part of the OAuth protocol vs JWT claims.
> John B.
>> On Jan 20, 2016, at 6:29 PM, Mike Jones <> wrote:
>> The primary purpose of the specification is to establish a registry for "amr" JWT claim values.  This is important, as it increases interoperability among implementations using this claim.
>> It's a fair question whether "requested_amr" should be kept or dropped.  I agree with John and James that it's bad architecture.  I put it in the -00 individual draft to document existing practice.  I suspect that should the draft is adopted by the working group as a starting point, one of the first things the working group will want to decide is whether to drop it.  I suspect that I know how this will come out and I won't be sad, architecturally, to see it go.
>> As to whether this belongs in the OAuth working group, long ago it was decided that JWT and JWT claim definitions were within scope of the OAuth working group.  That ship has long ago sailed, both in terms of RFC 7519 and it continues to sail, for instance, in draft-ietf-oauth-proof-of-possession, which defines a new JWT claim, and is in the RFC Editor Queue.  Defining a registry for values of the "amr" claim, which is registered in the OAuth-established registry at, is squarely within the OAuth WG's mission for the creation and stewardship of JWT.
>> 				-- Mike
>> -----Original Message-----
>> From: OAuth [] On Behalf Of John Bradley
>> Sent: Wednesday, January 20, 2016 12:44 PM
>> To: Justin Richer <>
>> Cc: <> <>
>> Subject: Re: [OAUTH-WG] Call for Adoption: Authentication Method Reference Values
>> I see your point that it is a fine line reporting how a person authenticated to a Authorization endpoit (it might be by SAML etc) and encouraging people to use OAuth for Authentication.
>> We already have the amr response in connect.  The only thing really missing is a registry.  Unless this is a sneaky way to get requested_amr into Connect?
>> John B.
>>> On Jan 20, 2016, at 5:37 PM, Justin Richer <> wrote:
>>> Just reiterating my stance that this document detailing user authentication methods has no place in the OAuth working group.
>>> — Justin
>>>> On Jan 19, 2016, at 6:48 AM, Hannes Tschofenig <> wrote:
>>>> Hi all,
>>>> this is the call for adoption of Authentication Method Reference
>>>> Values, see
>>>> Please let us know by Feb 2nd whether you accept / object to the
>>>> adoption of this document as a starting point for work in the OAuth
>>>> working group.
>>>> Note: The feedback during the Yokohama meeting was inconclusive,
>>>> namely
>>>> 9 for / zero against / 6 persons need more information.
>>>> You feedback will therefore be important to find out whether we
>>>> should do this work in the OAuth working group.
>>>> Ciao
>>>> Hannes & Derek
>>>> _______________________________________________
>>>> OAuth mailing list
>>> _______________________________________________
>>> OAuth mailing list