<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">acr and amr definitely goes in the ID Token.<div class="">The default for eduperson_assurance would probably be the userinfo endpoint.</div><div class="">But you can always ask for it to be returned in the ID Token.<br class=""><div class=""><div><br class=""><blockquote type="cite" class=""><div class="">On 2 Sep 2019, at 15:10, Marcus Hardt <<a href="mailto:hardt@kit.edu" class="">hardt@kit.edu</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">Hi There,</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">thanks for the answers.</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">I suppoose that acr and amr go into the ID-Token and eduperson_assurance</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">will be available via the userinfo (in some scope), right?</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">M.</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">On 08/30/19 14:10, Mischa Salle wrote:</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><blockquote type="cite" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none;" class="">Hi Marcus,<br class=""><br class="">good that you bring this up!<br class="">We recently figured out (thanks to Roland for pointing me to it!) that<br class="">there is both "acr" and "amr", in addition to the REFEDS'<br class="">eduperson_assurance. Actually I'm not sure why we did not consider amr<br class="">during the RAF discussions. So perhaps you should produce something like<br class=""><br class=""> "acr" : "<a href="https://refeds.org/profile/sfa" class="">https://refeds.org/profile/sfa</a>",<br class=""> "amr" : [<br class=""> "<a href="https://refeds.org/assurance/ATP/ePA-1d" class="">https://refeds.org/assurance/ATP/ePA-1d</a>",<br class=""> "<a href="https://refeds.org/assurance/ATP/ePA-1m" class="">https://refeds.org/assurance/ATP/ePA-1m</a>",<br class=""> "<a href="https://refeds.org/assurance/IAP/local-enterprise" class="">https://refeds.org/assurance/IAP/local-enterprise</a>",<br class=""> "<a href="https://refeds.org/assurance/IAP/low" class="">https://refeds.org/assurance/IAP/low</a>",<br class=""> "<a href="https://refeds.org/assurance/IAP/medium" class="">https://refeds.org/assurance/IAP/medium</a>",<br class=""> "<a href="https://refeds.org/assurance/ID/eppn-unique-no-reassign" class="">https://refeds.org/assurance/ID/eppn-unique-no-reassign</a>",<br class=""> "<a href="https://refeds.org/assurance/ID/unique" class="">https://refeds.org/assurance/ID/unique</a>",<br class=""> "<a href="https://refeds.org/assurance/profile/cappuccino" class="">https://refeds.org/assurance/profile/cappuccino</a>"<br class=""> ],<br class=""> "eduperson_assurance" : [<br class=""> "<a href="https://refeds.org/assurance/ATP/ePA-1d" class="">https://refeds.org/assurance/ATP/ePA-1d</a>",<br class=""> "<a href="https://refeds.org/assurance/ATP/ePA-1m" class="">https://refeds.org/assurance/ATP/ePA-1m</a>",<br class=""> "<a href="https://refeds.org/assurance/IAP/local-enterprise" class="">https://refeds.org/assurance/IAP/local-enterprise</a>",<br class=""> "<a href="https://refeds.org/assurance/IAP/low" class="">https://refeds.org/assurance/IAP/low</a>",<br class=""> "<a href="https://refeds.org/assurance/IAP/medium" class="">https://refeds.org/assurance/IAP/medium</a>",<br class=""> "<a href="https://refeds.org/assurance/ID/eppn-unique-no-reassign" class="">https://refeds.org/assurance/ID/eppn-unique-no-reassign</a>",<br class=""> "<a href="https://refeds.org/assurance/ID/unique" class="">https://refeds.org/assurance/ID/unique</a>",<br class=""> "<a href="https://refeds.org/assurance/profile/cappuccino" class="">https://refeds.org/assurance/profile/cappuccino</a>"<br class=""> ],<br class=""><br class="">which is more or less what Nikhef is now producing.<br class="">Additionally we also add some information such as the IGTF assurance<br class="">profile OID (typically <a href="https://igtf.net/ap/authn-assurance/birch" class="">https://igtf.net/ap/authn-assurance/birch</a> /<br class="">urn:oid:1.2.840.113612.5.2.5.2) and authN type, e.g. something like<br class=""> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport<br class="">or<br class=""> urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient<br class="">(btw you're missing the 'assurance' part of the $PREFIX for cappuccino)<br class=""><br class="">See the OIDC core spec under IDToken, one but last claim,<br class=""><a href="https://openid.net/specs/openid-connect-core-1_0.html#IDToken" class="">https://openid.net/specs/openid-connect-core-1_0.html#IDToken</a><br class=""><br class=""> amr<br class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>OPTIONAL. Authentication Methods References. JSON array of<br class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>strings that are identifiers for authentication methods used in<br class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>the authentication. For instance, values might indicate that<br class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>both password and OTP authentication methods were used. The<br class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>definition of particular values to be used in the amr Claim is<br class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>beyond the scope of this specification. Parties using this claim<br class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>will need to agree upon the meanings of the values used, which<br class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>may be context-specific. The amr value is an array of case<br class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>sensitive strings.<br class=""><br class="">For your link [3], the latest version seems to be<br class="">https://wiki.refeds.org/display/CON/Consultation%3A+SAML2+and+OIDC+Mappings<br class=""><br class="">Cheers,<br class="">Mischa<br class=""><br class="">On Tue, Aug 27, 2019 at 02:09:48PM +0200, Marcus Hardt wrote:<br class=""><blockquote type="cite" class="">Hi There,<br class=""><br class="">we have a use case for using the Information of the REFEDS Assurance<br class="">Framework (RAF)[1] via OIDC.<br class=""><br class="">I.e. my home IdP issues me<span class="Apple-converted-space"> </span><br class=""><br class="">- https://refeds.org/assurance/ATP/ePA-1d<br class="">- https://refeds.org/assurance/ATP/ePA-1m<br class="">- https://refeds.org/assurance/IAP/local-enterprise<br class="">- https://refeds.org/assurance/IAP/low<br class="">- https://refeds.org/assurance/IAP/medium<br class="">- https://refeds.org/assurance/ID/eppn-unique-no-reassign<br class="">- https://refeds.org/assurance/ID/unique<br class="">- https://refeds.org/profile/cappuccino<br class=""><br class="">Question is how to get these into "OIDC"?<br class=""><br class="">Now, there is already some work done in the OIDCRE[2] group, that<br class="">resulted in this[3] google doc.<br class=""><br class="">[1]https://wiki.refeds.org/display/ASS/REFEDS+Assurance+Framework+ver+1.0<br class="">[2]https://wiki.refeds.org/display/GROUPS/OIDCre<br class="">[3]https://docs.google.com/document/d/1b-Mlet3Lq7qKLEf1BnHJ4nL1fq-vMe7fzpXyrq2wp08/edit<br class=""><br class=""><br class="">Two probelms kept us from putting this information (as a list) into<br class="">eduperson_assurance:<br class=""><br class="">1: Singlevaluedness (I'm not sure about this being so, but I was told)<br class="">2: ID Token: Assurance might rather belong into the ID Token (while from<br class=""> the research background we tend to put all into the userinfo endpoint.<br class=""><br class=""><br class="">Basically, I'm writing to find updated information, or to find a way to<br class="">close this item.<br class=""><br class=""><br class="">Cheers,<br class="">--<span class="Apple-converted-space"> </span><br class="">Marcus.<br class=""></blockquote><br class=""><br class=""><br class=""><blockquote type="cite" class="">--<span class="Apple-converted-space"> </span><br class="">openid-specs-rande mailing list<br class="">openid-specs-rande@lists.openid.net<br class="">http://lists.openid.net/mailman/listinfo/openid-specs-rande<br class=""></blockquote><br class=""><br class="">--<span class="Apple-converted-space"> </span><br class="">Nikhef Room H155<br class="">Science Park 105 Tel. +31-20-592 5102<br class="">1098 XG Amsterdam Fax +31-20-592 5155<br class="">The Netherlands Email msalle@nikhef.nl<br class=""> __ .. ... _._. .... ._ ... ._ ._.. ._.. .._..<br class=""></blockquote><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">--<span class="Apple-converted-space"> </span></span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">Marcus.</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">--<span class="Apple-converted-space"> </span></span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">openid-specs-rande mailing list</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><a href="mailto:openid-specs-rande@lists.openid.net" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">openid-specs-rande@lists.openid.net</a><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><a href="http://lists.openid.net/mailman/listinfo/openid-specs-rande" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">http://lists.openid.net/mailman/listinfo/openid-specs-rande</a></div></blockquote></div><br class=""><div class="">
<div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;">- Roland</div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><br class=""></div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;">Otium cum dignitate - latin proverb</div></div>
</div>
<br class=""></div></div></body></html>