[openid-specs-rande] RAF expression in OIDC
Roland Hedberg
roland at catalogix.se
Mon Sep 2 13:14:47 UTC 2019
acr and amr definitely goes in the ID Token.
The default for eduperson_assurance would probably be the userinfo endpoint.
But you can always ask for it to be returned in the ID Token.
> On 2 Sep 2019, at 15:10, Marcus Hardt <hardt at kit.edu> wrote:
>
> Hi There,
>
> thanks for the answers.
>
> I suppoose that acr and amr go into the ID-Token and eduperson_assurance
> will be available via the userinfo (in some scope), right?
>
> M.
>
> On 08/30/19 14:10, Mischa Salle wrote:
>> Hi Marcus,
>>
>> good that you bring this up!
>> We recently figured out (thanks to Roland for pointing me to it!) that
>> there is both "acr" and "amr", in addition to the REFEDS'
>> eduperson_assurance. Actually I'm not sure why we did not consider amr
>> during the RAF discussions. So perhaps you should produce something like
>>
>> "acr" : "https://refeds.org/profile/sfa",
>> "amr" : [
>> "https://refeds.org/assurance/ATP/ePA-1d",
>> "https://refeds.org/assurance/ATP/ePA-1m",
>> "https://refeds.org/assurance/IAP/local-enterprise",
>> "https://refeds.org/assurance/IAP/low",
>> "https://refeds.org/assurance/IAP/medium",
>> "https://refeds.org/assurance/ID/eppn-unique-no-reassign",
>> "https://refeds.org/assurance/ID/unique",
>> "https://refeds.org/assurance/profile/cappuccino"
>> ],
>> "eduperson_assurance" : [
>> "https://refeds.org/assurance/ATP/ePA-1d",
>> "https://refeds.org/assurance/ATP/ePA-1m",
>> "https://refeds.org/assurance/IAP/local-enterprise",
>> "https://refeds.org/assurance/IAP/low",
>> "https://refeds.org/assurance/IAP/medium",
>> "https://refeds.org/assurance/ID/eppn-unique-no-reassign",
>> "https://refeds.org/assurance/ID/unique",
>> "https://refeds.org/assurance/profile/cappuccino"
>> ],
>>
>> which is more or less what Nikhef is now producing.
>> Additionally we also add some information such as the IGTF assurance
>> profile OID (typically https://igtf.net/ap/authn-assurance/birch /
>> urn:oid:1.2.840.113612.5.2.5.2) and authN type, e.g. something like
>> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
>> or
>> urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient
>> (btw you're missing the 'assurance' part of the $PREFIX for cappuccino)
>>
>> See the OIDC core spec under IDToken, one but last claim,
>> https://openid.net/specs/openid-connect-core-1_0.html#IDToken
>>
>> amr
>> OPTIONAL. Authentication Methods References. JSON array of
>> strings that are identifiers for authentication methods used in
>> the authentication. For instance, values might indicate that
>> both password and OTP authentication methods were used. The
>> definition of particular values to be used in the amr Claim is
>> beyond the scope of this specification. Parties using this claim
>> will need to agree upon the meanings of the values used, which
>> may be context-specific. The amr value is an array of case
>> sensitive strings.
>>
>> For your link [3], the latest version seems to be
>> https://wiki.refeds.org/display/CON/Consultation%3A+SAML2+and+OIDC+Mappings
>>
>> Cheers,
>> Mischa
>>
>> On Tue, Aug 27, 2019 at 02:09:48PM +0200, Marcus Hardt wrote:
>>> Hi There,
>>>
>>> we have a use case for using the Information of the REFEDS Assurance
>>> Framework (RAF)[1] via OIDC.
>>>
>>> I.e. my home IdP issues me
>>>
>>> - https://refeds.org/assurance/ATP/ePA-1d
>>> - https://refeds.org/assurance/ATP/ePA-1m
>>> - https://refeds.org/assurance/IAP/local-enterprise
>>> - https://refeds.org/assurance/IAP/low
>>> - https://refeds.org/assurance/IAP/medium
>>> - https://refeds.org/assurance/ID/eppn-unique-no-reassign
>>> - https://refeds.org/assurance/ID/unique
>>> - https://refeds.org/profile/cappuccino
>>>
>>> Question is how to get these into "OIDC"?
>>>
>>> Now, there is already some work done in the OIDCRE[2] group, that
>>> resulted in this[3] google doc.
>>>
>>> [1]https://wiki.refeds.org/display/ASS/REFEDS+Assurance+Framework+ver+1.0
>>> [2]https://wiki.refeds.org/display/GROUPS/OIDCre
>>> [3]https://docs.google.com/document/d/1b-Mlet3Lq7qKLEf1BnHJ4nL1fq-vMe7fzpXyrq2wp08/edit
>>>
>>>
>>> Two probelms kept us from putting this information (as a list) into
>>> eduperson_assurance:
>>>
>>> 1: Singlevaluedness (I'm not sure about this being so, but I was told)
>>> 2: ID Token: Assurance might rather belong into the ID Token (while from
>>> the research background we tend to put all into the userinfo endpoint.
>>>
>>>
>>> Basically, I'm writing to find updated information, or to find a way to
>>> close this item.
>>>
>>>
>>> Cheers,
>>> --
>>> Marcus.
>>
>>
>>
>>> --
>>> openid-specs-rande mailing list
>>> openid-specs-rande at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-rande
>>
>>
>> --
>> Nikhef Room H155
>> Science Park 105 Tel. +31-20-592 5102
>> 1098 XG Amsterdam Fax +31-20-592 5155
>> The Netherlands Email msalle at nikhef.nl
>> __ .. ... _._. .... ._ ... ._ ._.. ._.. .._..
>
>
>
> --
> Marcus.
> --
> openid-specs-rande mailing list
> openid-specs-rande at lists.openid.net <mailto:openid-specs-rande at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-rande <http://lists.openid.net/mailman/listinfo/openid-specs-rande>
- Roland
Otium cum dignitate - latin proverb
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-rande/attachments/20190902/68d061be/attachment-0001.html>
More information about the openid-specs-rande
mailing list