[openid-specs-rande] RAF expression in OIDC

Mischa Salle msalle at nikhef.nl
Fri Aug 30 12:10:40 UTC 2019 

Hi Marcus,

good that you bring this up!
We recently figured out (thanks to Roland for pointing me to it!) that
there is both "acr" and "amr", in addition to the REFEDS'
eduperson_assurance. Actually I'm not sure why we did not consider amr
during the RAF discussions. So perhaps you should produce something like

    "acr" : "https://refeds.org/profile/sfa",
    "amr" : [
      "https://refeds.org/assurance/ATP/ePA-1d",
      "https://refeds.org/assurance/ATP/ePA-1m",
      "https://refeds.org/assurance/IAP/local-enterprise",
      "https://refeds.org/assurance/IAP/low",
      "https://refeds.org/assurance/IAP/medium",
      "https://refeds.org/assurance/ID/eppn-unique-no-reassign",
      "https://refeds.org/assurance/ID/unique",
      "https://refeds.org/assurance/profile/cappuccino"
    ],
    "eduperson_assurance" : [
      "https://refeds.org/assurance/ATP/ePA-1d",
      "https://refeds.org/assurance/ATP/ePA-1m",
      "https://refeds.org/assurance/IAP/local-enterprise",
      "https://refeds.org/assurance/IAP/low",
      "https://refeds.org/assurance/IAP/medium",
      "https://refeds.org/assurance/ID/eppn-unique-no-reassign",
      "https://refeds.org/assurance/ID/unique",
      "https://refeds.org/assurance/profile/cappuccino"
    ],

which is more or less what Nikhef is now producing.
Additionally we also add some information such as the IGTF assurance
profile OID (typically https://igtf.net/ap/authn-assurance/birch /
urn:oid:1.2.840.113612.5.2.5.2) and authN type, e.g. something like
    urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
or
    urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient
(btw you're missing the 'assurance' part of the $PREFIX for cappuccino)

See the OIDC core spec under IDToken, one but last claim,
https://openid.net/specs/openid-connect-core-1_0.html#IDToken

    amr
	OPTIONAL. Authentication Methods References. JSON array of
	strings that are identifiers for authentication methods used in
	the authentication. For instance, values might indicate that
	both password and OTP authentication methods were used. The
	definition of particular values to be used in the amr Claim is
	beyond the scope of this specification. Parties using this claim
	will need to agree upon the meanings of the values used, which
	may be context-specific. The amr value is an array of case
	sensitive strings.

For your link [3], the latest version seems to be
https://wiki.refeds.org/display/CON/Consultation%3A+SAML2+and+OIDC+Mappings

Cheers,
Mischa

On Tue, Aug 27, 2019 at 02:09:48PM +0200, Marcus Hardt wrote:
> Hi There,
> 
> we have a use case for using the Information of the REFEDS Assurance
> Framework (RAF)[1] via OIDC.
> 
> I.e. my home IdP issues me 
> 
> - https://refeds.org/assurance/ATP/ePA-1d
> - https://refeds.org/assurance/ATP/ePA-1m
> - https://refeds.org/assurance/IAP/local-enterprise
> - https://refeds.org/assurance/IAP/low
> - https://refeds.org/assurance/IAP/medium
> - https://refeds.org/assurance/ID/eppn-unique-no-reassign
> - https://refeds.org/assurance/ID/unique
> - https://refeds.org/profile/cappuccino
>  
> Question is how to get these into "OIDC"?
> 
> Now, there is already some work done in the OIDCRE[2] group, that
> resulted in this[3] google doc.
> 
> [1]https://wiki.refeds.org/display/ASS/REFEDS+Assurance+Framework+ver+1.0
> [2]https://wiki.refeds.org/display/GROUPS/OIDCre
> [3]https://docs.google.com/document/d/1b-Mlet3Lq7qKLEf1BnHJ4nL1fq-vMe7fzpXyrq2wp08/edit
> 
> 
> Two probelms kept us from putting this information (as a list) into
> eduperson_assurance:
> 
> 1: Singlevaluedness (I'm not sure about this being so, but I was told)
> 2: ID Token: Assurance might rather belong into the ID Token (while from
>    the research background we tend to put all into the userinfo endpoint.
> 
> 
> Basically, I'm writing to find updated information, or to find a way to
> close this item.
> 
> 
> Cheers,
> -- 
> Marcus.



> -- 
> openid-specs-rande mailing list
> openid-specs-rande at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-rande


-- 
Nikhef                      Room  H155
Science Park 105            Tel.  +31-20-592 5102
1098 XG Amsterdam           Fax   +31-20-592 5155
The Netherlands             Email msalle at nikhef.nl
  __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4521 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-rande/attachments/20190830/43bec007/attachment.bin>

More information about the openid-specs-rande mailing list