[Openid-specs-ab] amr: strings versus objects
Mike Jones
Michael.Jones at microsoft.com
Thu Jul 28 18:28:26 UTC 2016
Actually, the "amr" claim is defined by the OpenID Connect Core spec, which became a final specification in February 2014. You can see the reference to OpenID Connect Core 1.0, Section 2, in the IANA JWT Claims Registry at http://www.iana.org/assignments/jwt/jwt.xhtml#claims. Given that the "amr" type is defined by a final specification, it is not subject to change. The OAuth AMR Values spec defines specific "amr" values but does not define the claim itself.
Also, the "r" in "amr" is pertinent - it stands for "reference" - meaning that an "amr" value is a reference to an authentication method definition. It does not attempt to carry the definition as a value, which I think is what Mike Schwartz is thinking of.
Best wishes,
-- Mike
From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Phil Hunt via Openid-specs-ab
Sent: Thursday, July 28, 2016 10:41 AM
To: Vladimir Dzhuvinov <vladimir at connect2id.com>
Cc: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] amr: strings versus objects
The Oauth list is the best place.
Curious though what you mean by "context".
Phil
@independentid
www.independentid.com<http://www.independentid.com>
phil.hunt at oracle.com<mailto:phil.hunt at oracle.com>
On Jul 28, 2016, at 7:32 AM, Vladimir Dzhuvinov via Openid-specs-ab <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>> wrote:
Mike, you should probably speak up to the OAuth WG list, the AMR spec is
being crafted there.
As for making the AMR values JSON objects, this will make their use
harder for people who don't need this extra functionality.
But if you do need that, you could send along a secondary AMR context
claim, that references the AMR values:
"amr":["mfa", "pwd", "otp"],
"amr_context":{"mfa":{ context }, "pwd":{ context }...}
Vladimir
On 27/07/16 17:52, Mike Schwartz via Openid-specs-ab wrote:
OpenID Connect-heads:
amr is defined as a "JSON array of strings"
This seems somewhat limiting... wouldn't it be better as a JSON array
of objects? That would enable us to convey more context about these
particular strings...
If the spec says "The definition of particular values to be used in
the amr Claim is beyond the scope of this specification", why are you
specifying the type of the values?
- Mike
-------------------------------------
Michael Schwartz
Gluu
http://gluu.org
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160728/7728d27a/attachment.html>
More information about the Openid-specs-ab
mailing list