[openid-specs-rande] RAF expression in OIDC

Wolfgang Pempe pempe at dfn.de
Mon Sep 2 13:27:12 UTC 2019 

Am 02.09.19 um 15:14 schrieb Roland Hedberg:
> acr and amr definitely goes in the ID Token.
> The default for eduperson_assurance would probably be the userinfo endpoint.
> But you can always ask for it to be returned in the ID Token.

which would be the most flexible solution. You cannot assume that all 
identities in an IdM have been subject to the same e.g. identity vetting 
process because those processes change over time. Insofar at least 
https://refeds.org/assurance/IAP/* should IMO be released per identity 
and therefore be returned as part of the ID Token.

Best,
Wolfgang

> 
>> On 2 Sep 2019, at 15:10, Marcus Hardt <hardt at kit.edu> wrote:
>>
>> Hi There,
>>
>> thanks for the answers.
>>
>> I suppoose that acr and amr go into the ID-Token and eduperson_assurance
>> will be available via the userinfo (in some scope), right?
>>
>> M.
>>
>> On 08/30/19 14:10, Mischa Salle wrote:
>>> Hi Marcus,
>>>
>>> good that you bring this up!
>>> We recently figured out (thanks to Roland for pointing me to it!) that
>>> there is both "acr" and "amr", in addition to the REFEDS'
>>> eduperson_assurance. Actually I'm not sure why we did not consider amr
>>> during the RAF discussions. So perhaps you should produce something like
>>>
>>>     "acr" : "https://refeds.org/profile/sfa",
>>>     "amr" : [
>>>       "https://refeds.org/assurance/ATP/ePA-1d",
>>>       "https://refeds.org/assurance/ATP/ePA-1m",
>>>       "https://refeds.org/assurance/IAP/local-enterprise",
>>>       "https://refeds.org/assurance/IAP/low",
>>>       "https://refeds.org/assurance/IAP/medium",
>>>       "https://refeds.org/assurance/ID/eppn-unique-no-reassign",
>>>       "https://refeds.org/assurance/ID/unique",
>>>       "https://refeds.org/assurance/profile/cappuccino"
>>>     ],
>>>     "eduperson_assurance" : [
>>>       "https://refeds.org/assurance/ATP/ePA-1d",
>>>       "https://refeds.org/assurance/ATP/ePA-1m",
>>>       "https://refeds.org/assurance/IAP/local-enterprise",
>>>       "https://refeds.org/assurance/IAP/low",
>>>       "https://refeds.org/assurance/IAP/medium",
>>>       "https://refeds.org/assurance/ID/eppn-unique-no-reassign",
>>>       "https://refeds.org/assurance/ID/unique",
>>>       "https://refeds.org/assurance/profile/cappuccino"
>>>     ],
>>>
>>> which is more or less what Nikhef is now producing.
>>> Additionally we also add some information such as the IGTF assurance
>>> profile OID (typically https://igtf.net/ap/authn-assurance/birch /
>>> urn:oid:1.2.840.113612.5.2.5.2) and authN type, e.g. something like
>>>     urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
>>> or
>>>     urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient
>>> (btw you're missing the 'assurance' part of the $PREFIX for cappuccino)
>>>
>>> See the OIDC core spec under IDToken, one but last claim,
>>> https://openid.net/specs/openid-connect-core-1_0.html#IDToken
>>>
>>>     amr
>>> 	OPTIONAL. Authentication Methods References. JSON array of
>>> 	strings that are identifiers for authentication methods used in
>>> 	the authentication. For instance, values might indicate that
>>> 	both password and OTP authentication methods were used. The
>>> 	definition of particular values to be used in the amr Claim is
>>> 	beyond the scope of this specification. Parties using this claim
>>> 	will need to agree upon the meanings of the values used, which
>>> 	may be context-specific. The amr value is an array of case
>>> 	sensitive strings.
>>>
>>> For your link [3], the latest version seems to be
>>> https://wiki.refeds.org/display/CON/Consultation%3A+SAML2+and+OIDC+Mappings
>>>
>>> Cheers,
>>> Mischa
>>>
>>> On Tue, Aug 27, 2019 at 02:09:48PM +0200, Marcus Hardt wrote:
>>>> Hi There,
>>>>
>>>> we have a use case for using the Information of the REFEDS Assurance
>>>> Framework (RAF)[1] via OIDC.
>>>>
>>>> I.e. my home IdP issues me
>>>>
>>>> - https://refeds.org/assurance/ATP/ePA-1d
>>>> - https://refeds.org/assurance/ATP/ePA-1m
>>>> - https://refeds.org/assurance/IAP/local-enterprise
>>>> - https://refeds.org/assurance/IAP/low
>>>> - https://refeds.org/assurance/IAP/medium
>>>> - https://refeds.org/assurance/ID/eppn-unique-no-reassign
>>>> - https://refeds.org/assurance/ID/unique
>>>> - https://refeds.org/profile/cappuccino
>>>>
>>>> Question is how to get these into "OIDC"?
>>>>
>>>> Now, there is already some work done in the OIDCRE[2] group, that
>>>> resulted in this[3] google doc.
>>>>
>>>> [1]https://wiki.refeds.org/display/ASS/REFEDS+Assurance+Framework+ver+1.0
>>>> [2]https://wiki.refeds.org/display/GROUPS/OIDCre
>>>> [3]https://docs.google.com/document/d/1b-Mlet3Lq7qKLEf1BnHJ4nL1fq-vMe7fzpXyrq2wp08/edit
>>>>
>>>>
>>>> Two probelms kept us from putting this information (as a list) into
>>>> eduperson_assurance:
>>>>
>>>> 1: Singlevaluedness (I'm not sure about this being so, but I was told)
>>>> 2: ID Token: Assurance might rather belong into the ID Token (while from
>>>>    the research background we tend to put all into the userinfo endpoint.
>>>>
>>>>
>>>> Basically, I'm writing to find updated information, or to find a way to
>>>> close this item.
>>>>
>>>>
>>>> Cheers,
>>>> -- 
>>>> Marcus.
>>>
>>>
>>>
>>>> -- 
>>>> openid-specs-rande mailing list
>>>> openid-specs-rande at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-specs-rande
>>>
>>>
>>> -- 
>>> Nikhef                      Room  H155
>>> Science Park 105            Tel.  +31-20-592 5102
>>> 1098 XG Amsterdam           Fax   +31-20-592 5155
>>> The Netherlands             Email msalle at nikhef.nl
>>>   __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..
>>
>>
>>
>> -- 
>> Marcus.
>> -- 
>> openid-specs-rande mailing list
>> openid-specs-rande at lists.openid.net <mailto:openid-specs-rande at lists.openid.net>
>> http://lists.openid.net/mailman/listinfo/openid-specs-rande <http://lists.openid.net/mailman/listinfo/openid-specs-rande>
> - Roland
> 
> Otium cum dignitate - latin proverb
> 
> 
> 

-- 
---------------------------------------------------------------------
Wolfgang Pempe                         Phone  : +49 30 884299-308
DFN-Verein                             Fax    : +49 30 884299-370
Alexanderplatz 1                       E-Mail : pempe at dfn.de
D-10178 Berlin                         WWW    : https://www.dfn.de
---------------------------------------------------------------------
--------------------- Deutsches Forschungsnetz ----------------------
--------- Germany's National Research and Education Network ---------
---------------------------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5407 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-specs-rande/attachments/20190902/e0efa7ff/attachment.p7s>

More information about the openid-specs-rande mailing list