[Openid-specs-ab] amr: strings versus objects

Fri Jul 29 07:13:07 UTC 2016

On 28/07/16 22:01, Mike Schwartz via Openid-specs-ab wrote:
> Vladimir and Mike, thanks for the comments.
>
> It hadn't occurred to me to add a custom claim like "amr_context".
> It's not a bad idea, but we prefer not to stray from the spec with our
> own custom features.
>
> I'm aware of the 'amr' spec in the OAuth group. I'm just too
> pessimistic about this idea. I don't have a fix, so I'm not saying
> anything, so as not to spoil everyone else's fun.
>
> My main issue was the ordering of the amr values. I'll give you the
> use case...
>
> In the Gluu Server, you can define multiple authentication workflows.
> Each workflow has an "Authentication Level," which is an integer that
> the admin would set to indicate its relative strength. (Think
> "Siteminder Level"). My thought is that we can't set these integers
> globably, but within a domain, it can be done.
>
> So returning the level in the amr is no problem... we're doing that.
> My concern is that we are making a policy that the level is always
> returned as the first amr value. That works, but it seems sort of
> restrictive to me.
>
> If we had an array of objects, there would be so much more opportunity
> to provide information about the amr:
>
> amr = [ {"name": "level", "value": "5"},
>         {"name": "fraud_score", "value": "518"}
>         {"name": "fingerprint", "category": "biometric", "paDesc": "100"}
>       ]
>
> And the order would be unimportant, because we could always just find
> the object with name=level...
>
Thanks for illustrating what you meant by context. You essentially want
to include variable information about the individual auth methods, as
they got applied to the particular user.

Do you make any use of the ACR claim?

The concept of "Level" seems to be better accommodated by the ACR claim.

The ACR claim is also a URI, which means you could include the variable
information in there, as parameters:

http://example.com/my-loa/high?level=5&fraud_score=518&...

Here are the ACR profiles that have been registered with IANA (to get an
idea how they look like):

http://www.iana.org/assignments/loa-profiles/loa-profiles.xml

That way you can still stay within the assumed definition of AMR, and
won't need a custom amr_context parameter.

> Anyway, just an idea...
>
> - Mike
>
>
> -------------------------------------
> Michael Schwartz
> Gluu
> Founder / CEO
> mike at gluu.org
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3711 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160729/45a84a4a/attachment.p7s>