[openid-specs-rande] RAF expression in OIDC

Marcus Hardt hardt at kit.edu
Mon Sep 2 13:10:13 UTC 2019 

Hi There,

thanks for the answers.

I suppoose that acr and amr go into the ID-Token and eduperson_assurance
will be available via the userinfo (in some scope), right?

M.

On 08/30/19 14:10, Mischa Salle wrote:
> Hi Marcus,
> 
> good that you bring this up!
> We recently figured out (thanks to Roland for pointing me to it!) that
> there is both "acr" and "amr", in addition to the REFEDS'
> eduperson_assurance. Actually I'm not sure why we did not consider amr
> during the RAF discussions. So perhaps you should produce something like
> 
>     "acr" : "https://refeds.org/profile/sfa",
>     "amr" : [
>       "https://refeds.org/assurance/ATP/ePA-1d",
>       "https://refeds.org/assurance/ATP/ePA-1m",
>       "https://refeds.org/assurance/IAP/local-enterprise",
>       "https://refeds.org/assurance/IAP/low",
>       "https://refeds.org/assurance/IAP/medium",
>       "https://refeds.org/assurance/ID/eppn-unique-no-reassign",
>       "https://refeds.org/assurance/ID/unique",
>       "https://refeds.org/assurance/profile/cappuccino"
>     ],
>     "eduperson_assurance" : [
>       "https://refeds.org/assurance/ATP/ePA-1d",
>       "https://refeds.org/assurance/ATP/ePA-1m",
>       "https://refeds.org/assurance/IAP/local-enterprise",
>       "https://refeds.org/assurance/IAP/low",
>       "https://refeds.org/assurance/IAP/medium",
>       "https://refeds.org/assurance/ID/eppn-unique-no-reassign",
>       "https://refeds.org/assurance/ID/unique",
>       "https://refeds.org/assurance/profile/cappuccino"
>     ],
> 
> which is more or less what Nikhef is now producing.
> Additionally we also add some information such as the IGTF assurance
> profile OID (typically https://igtf.net/ap/authn-assurance/birch /
> urn:oid:1.2.840.113612.5.2.5.2) and authN type, e.g. something like
>     urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
> or
>     urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient
> (btw you're missing the 'assurance' part of the $PREFIX for cappuccino)
> 
> See the OIDC core spec under IDToken, one but last claim,
> https://openid.net/specs/openid-connect-core-1_0.html#IDToken
> 
>     amr
> 	OPTIONAL. Authentication Methods References. JSON array of
> 	strings that are identifiers for authentication methods used in
> 	the authentication. For instance, values might indicate that
> 	both password and OTP authentication methods were used. The
> 	definition of particular values to be used in the amr Claim is
> 	beyond the scope of this specification. Parties using this claim
> 	will need to agree upon the meanings of the values used, which
> 	may be context-specific. The amr value is an array of case
> 	sensitive strings.
> 
> For your link [3], the latest version seems to be
> https://wiki.refeds.org/display/CON/Consultation%3A+SAML2+and+OIDC+Mappings
> 
> Cheers,
> Mischa
> 
> On Tue, Aug 27, 2019 at 02:09:48PM +0200, Marcus Hardt wrote:
> > Hi There,
> > 
> > we have a use case for using the Information of the REFEDS Assurance
> > Framework (RAF)[1] via OIDC.
> > 
> > I.e. my home IdP issues me 
> > 
> > - https://refeds.org/assurance/ATP/ePA-1d
> > - https://refeds.org/assurance/ATP/ePA-1m
> > - https://refeds.org/assurance/IAP/local-enterprise
> > - https://refeds.org/assurance/IAP/low
> > - https://refeds.org/assurance/IAP/medium
> > - https://refeds.org/assurance/ID/eppn-unique-no-reassign
> > - https://refeds.org/assurance/ID/unique
> > - https://refeds.org/profile/cappuccino
> >  
> > Question is how to get these into "OIDC"?
> > 
> > Now, there is already some work done in the OIDCRE[2] group, that
> > resulted in this[3] google doc.
> > 
> > [1]https://wiki.refeds.org/display/ASS/REFEDS+Assurance+Framework+ver+1.0
> > [2]https://wiki.refeds.org/display/GROUPS/OIDCre
> > [3]https://docs.google.com/document/d/1b-Mlet3Lq7qKLEf1BnHJ4nL1fq-vMe7fzpXyrq2wp08/edit
> > 
> > 
> > Two probelms kept us from putting this information (as a list) into
> > eduperson_assurance:
> > 
> > 1: Singlevaluedness (I'm not sure about this being so, but I was told)
> > 2: ID Token: Assurance might rather belong into the ID Token (while from
> >    the research background we tend to put all into the userinfo endpoint.
> > 
> > 
> > Basically, I'm writing to find updated information, or to find a way to
> > close this item.
> > 
> > 
> > Cheers,
> > -- 
> > Marcus.
> 
> 
> 
> > -- 
> > openid-specs-rande mailing list
> > openid-specs-rande at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-specs-rande
> 
> 
> -- 
> Nikhef                      Room  H155
> Science Park 105            Tel.  +31-20-592 5102
> 1098 XG Amsterdam           Fax   +31-20-592 5155
> The Netherlands             Email msalle at nikhef.nl
>   __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..



-- 
Marcus.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4805 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-rande/attachments/20190902/5d8dd615/attachment.p7s>

More information about the openid-specs-rande mailing list