[openid-specs-rande] RAF expression in OIDC

Nicolas Liampotis nliam at grnet.gr
Fri Aug 30 12:47:11 UTC 2019 

Hi Mischa, all,

> On 30 Aug 2019, at 15:10, Mischa Salle <msalle at nikhef.nl> wrote:
> 
> Hi Marcus,
> 
> good that you bring this up!
> We recently figured out (thanks to Roland for pointing me to it!) that
> there is both "acr" and "amr", in addition to the REFEDS'
> eduperson_assurance. Actually I'm not sure why we did not consider amr
> during the RAF discussions.

The amr claim was actually brought up during the RAF discussions but the argument against using that claim was that amr is more related to the authentication, which is not covered by RAF.

> So perhaps you should produce something like
> 
>    "acr" : "https://refeds.org/profile/sfa",
>    "amr" : [
>      "https://refeds.org/assurance/ATP/ePA-1d",
>      "https://refeds.org/assurance/ATP/ePA-1m",
>      "https://refeds.org/assurance/IAP/local-enterprise",
>      "https://refeds.org/assurance/IAP/low",
>      "https://refeds.org/assurance/IAP/medium",
>      "https://refeds.org/assurance/ID/eppn-unique-no-reassign",
>      "https://refeds.org/assurance/ID/unique",
>      "https://refeds.org/assurance/profile/cappuccino"
>    ],
>    "eduperson_assurance" : [
>      "https://refeds.org/assurance/ATP/ePA-1d",
>      "https://refeds.org/assurance/ATP/ePA-1m",
>      "https://refeds.org/assurance/IAP/local-enterprise",
>      "https://refeds.org/assurance/IAP/low",
>      "https://refeds.org/assurance/IAP/medium",
>      "https://refeds.org/assurance/ID/eppn-unique-no-reassign",
>      "https://refeds.org/assurance/ID/unique",
>      "https://refeds.org/assurance/profile/cappuccino"
>    ],

Expressing SFA/MFA through the acr claim certainly makes sense. However, based on the example provided in Appendix B of RAF version 1.0, it should be sufficient to express the RAF values using just the eduperson_assurance claim.

> which is more or less what Nikhef is now producing.
> Additionally we also add some information such as the IGTF assurance
> profile OID (typically https://igtf.net/ap/authn-assurance/birch /
> urn:oid:1.2.840.113612.5.2.5.2) and authN type, e.g. something like
>    urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
> or
>    urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient

I think that this type of information (e.g. PasswordProtectedTransport, TLSClient), which describes the actual authentication method, is probably a better fit for the amr claim. It is interesting that even in SAML, there are implementations that express this information through a custom "authnmethodsreferences" attribute:
https://wiki.refeds.org/pages/viewpage.action?pageId=38895671 <https://wiki.refeds.org/pages/viewpage.action?pageId=38895671>

But for purely RAF assurance profiles and component values ($PREFIX$/ID/IAP/ATP/profile), using the eduperson_assurance claim seems to be the standard way.

Cheers,
Nicolas

> (btw you're missing the 'assurance' part of the $PREFIX for cappuccino)
> 
> See the OIDC core spec under IDToken, one but last claim,
> https://openid.net/specs/openid-connect-core-1_0.html#IDToken
> 
>    amr
> 	OPTIONAL. Authentication Methods References. JSON array of
> 	strings that are identifiers for authentication methods used in
> 	the authentication. For instance, values might indicate that
> 	both password and OTP authentication methods were used. The
> 	definition of particular values to be used in the amr Claim is
> 	beyond the scope of this specification. Parties using this claim
> 	will need to agree upon the meanings of the values used, which
> 	may be context-specific. The amr value is an array of case
> 	sensitive strings.
> 
> For your link [3], the latest version seems to be
> https://wiki.refeds.org/display/CON/Consultation%3A+SAML2+and+OIDC+Mappings
> 
> Cheers,
> Mischa
> 
> On Tue, Aug 27, 2019 at 02:09:48PM +0200, Marcus Hardt wrote:
>> Hi There,
>> 
>> we have a use case for using the Information of the REFEDS Assurance
>> Framework (RAF)[1] via OIDC.
>> 
>> I.e. my home IdP issues me
>> 
>> - https://refeds.org/assurance/ATP/ePA-1d
>> - https://refeds.org/assurance/ATP/ePA-1m
>> - https://refeds.org/assurance/IAP/local-enterprise
>> - https://refeds.org/assurance/IAP/low
>> - https://refeds.org/assurance/IAP/medium
>> - https://refeds.org/assurance/ID/eppn-unique-no-reassign
>> - https://refeds.org/assurance/ID/unique
>> - https://refeds.org/profile/cappuccino
>> 
>> Question is how to get these into "OIDC"?
>> 
>> Now, there is already some work done in the OIDCRE[2] group, that
>> resulted in this[3] google doc.
>> 
>> [1]https://wiki.refeds.org/display/ASS/REFEDS+Assurance+Framework+ver+1.0
>> [2]https://wiki.refeds.org/display/GROUPS/OIDCre
>> [3]https://docs.google.com/document/d/1b-Mlet3Lq7qKLEf1BnHJ4nL1fq-vMe7fzpXyrq2wp08/edit
>> 
>> 
>> Two probelms kept us from putting this information (as a list) into
>> eduperson_assurance:
>> 
>> 1: Singlevaluedness (I'm not sure about this being so, but I was told)
>> 2: ID Token: Assurance might rather belong into the ID Token (while from
>>   the research background we tend to put all into the userinfo endpoint.
>> 
>> 
>> Basically, I'm writing to find updated information, or to find a way to
>> close this item.
>> 
>> 
>> Cheers,
>> --
>> Marcus.
> 
> 
> 
>> --
>> openid-specs-rande mailing list
>> openid-specs-rande at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-rande
> 
> 
> --
> Nikhef                      Room  H155
> Science Park 105            Tel.  +31-20-592 5102
> 1098 XG Amsterdam           Fax   +31-20-592 5155
> The Netherlands             Email msalle at nikhef.nl
>  __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..
> --
> openid-specs-rande mailing list
> openid-specs-rande at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-rande

--
Nicolas Liampotis
AAI Research Engineer
GRNET - Greek Research and Technology Network
7, Kifisias Av., 115 23, Athens, Greece
k: 0xAC118B82
t: +30 210 7474264
f: +30 210 7474490

Follow us: www.grnet.gr
Twitter: @grnet_gr | Facebook: @grnet.gr
LinkedIn: grnet | YouTube: GRNET EDET

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-rande/attachments/20190830/52f3e66a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.openid.net/pipermail/openid-specs-rande/attachments/20190830/52f3e66a/attachment-0001.asc>

More information about the openid-specs-rande mailing list