<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi all,<br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On 5 Sep 2019, at 16:39, Mischa Salle <<a href="mailto:msalle@nikhef.nl" class="">msalle@nikhef.nl</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">Hi all,<br class=""><br class="">On Tue, Sep 03, 2019 at 08:31:12AM +0200, Marcus Hardt wrote:<br class=""><blockquote type="cite" class="">On 09/02/19 15:27, Wolfgang Pempe wrote:<br class=""><blockquote type="cite" class="">Am 02.09.19 um 15:14 schrieb Roland Hedberg:<br class=""><blockquote type="cite" class="">acr and amr definitely goes in the ID Token.<br class="">The default for eduperson_assurance would probably be the userinfo endpoint.<br class="">But you can always ask for it to be returned in the ID Token.<br class=""></blockquote><br class="">which would be the most flexible solution. You cannot assume that all<br class="">identities in an IdM have been subject to the same e.g. identity vetting<br class="">process because those processes change over time. Insofar at least<br class=""><a href="https://refeds.org/assurance/IAP/*" class="">https://refeds.org/assurance/IAP/*</a> should IMO be released per identity and<br class="">therefore be returned as part of the ID Token.<br class=""></blockquote><br class="">As far as I understand it:<br class=""><br class="">Yes, it should be released per identity<br class=""><br class="">Yes, it should be part of the ID token. Then it is in the "amr" claim.<br class=""><br class="">But, it should also be available in the userinfo. Then as part of the<br class="">eduperson_assurace claim.<br class=""></blockquote><br class="">I think you and Wolfgang are now a bit confused. Both ID token and<br class="">userinfo are released per identity. The difference is that there is a<br class="">preference to release in the ID token the information relating to the<br class="">actual authentication that took place, while the userinfo typically<br class="">releases the profile information of the user. There is no hard guideline<br class="">stating this though. Personally I think that it probably makes most<br class="">sense to release both amr and eduperson_assurace in the ID token, I<br class="">don't think it's really profile information, but they could also both be<br class="">released from the userinfo in certain cases I guess.<br class=""></div></div></blockquote><div><br class=""></div><div>I think that it makes sense to release acr/amr and eduperson_assurance through *both* the ID token and the UserInfo endpoint. Furthermore, given that assurance information can be used for authorisation purposes it would also be a good idea to expose these claims through the introspection endpoint [<a href="https://tools.ietf.org/html/rfc7662" class="">https://tools.ietf.org/html/rfc7662</a>].</div><div><br class=""></div><div>Cheers,</div><div>Nicolas</div><br class=""><blockquote type="cite" class=""><div class=""><div class="">See also Nicolas' email from Fri, 30 Aug 2019 12:47:11 +0000 about what<br class="">to put in amr vs. eduperson_assurance.<br class=""><br class=""> Cheers,<br class=""> Mischa<br class=""><br class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class="">On 2 Sep 2019, at 15:10, Marcus Hardt <<a href="mailto:hardt@kit.edu" class="">hardt@kit.edu</a>> wrote:<br class=""><br class="">Hi There,<br class=""><br class="">thanks for the answers.<br class=""><br class="">I suppoose that acr and amr go into the ID-Token and eduperson_assurance<br class="">will be available via the userinfo (in some scope), right?<br class=""><br class="">M.<br class=""><br class="">On 08/30/19 14:10, Mischa Salle wrote:<br class=""><blockquote type="cite" class="">Hi Marcus,<br class=""><br class="">good that you bring this up!<br class="">We recently figured out (thanks to Roland for pointing me to it!) that<br class="">there is both "acr" and "amr", in addition to the REFEDS'<br class="">eduperson_assurance. Actually I'm not sure why we did not consider amr<br class="">during the RAF discussions. So perhaps you should produce something like<br class=""><br class=""> "acr" : "<a href="https://refeds.org/profile/sfa" class="">https://refeds.org/profile/sfa</a>",<br class=""> "amr" : [<br class=""> "<a href="https://refeds.org/assurance/ATP/ePA-1d" class="">https://refeds.org/assurance/ATP/ePA-1d</a>",<br class=""> "<a href="https://refeds.org/assurance/ATP/ePA-1m" class="">https://refeds.org/assurance/ATP/ePA-1m</a>",<br class=""> "<a href="https://refeds.org/assurance/IAP/local-enterprise" class="">https://refeds.org/assurance/IAP/local-enterprise</a>",<br class=""> "<a href="https://refeds.org/assurance/IAP/low" class="">https://refeds.org/assurance/IAP/low</a>",<br class=""> "<a href="https://refeds.org/assurance/IAP/medium" class="">https://refeds.org/assurance/IAP/medium</a>",<br class=""> "<a href="https://refeds.org/assurance/ID/eppn-unique-no-reassign" class="">https://refeds.org/assurance/ID/eppn-unique-no-reassign</a>",<br class=""> "<a href="https://refeds.org/assurance/ID/unique" class="">https://refeds.org/assurance/ID/unique</a>",<br class=""> "<a href="https://refeds.org/assurance/profile/cappuccino" class="">https://refeds.org/assurance/profile/cappuccino</a>"<br class=""> ],<br class=""> "eduperson_assurance" : [<br class=""> "<a href="https://refeds.org/assurance/ATP/ePA-1d" class="">https://refeds.org/assurance/ATP/ePA-1d</a>",<br class=""> "<a href="https://refeds.org/assurance/ATP/ePA-1m" class="">https://refeds.org/assurance/ATP/ePA-1m</a>",<br class=""> "<a href="https://refeds.org/assurance/IAP/local-enterprise" class="">https://refeds.org/assurance/IAP/local-enterprise</a>",<br class=""> "<a href="https://refeds.org/assurance/IAP/low" class="">https://refeds.org/assurance/IAP/low</a>",<br class=""> "<a href="https://refeds.org/assurance/IAP/medium" class="">https://refeds.org/assurance/IAP/medium</a>",<br class=""> "<a href="https://refeds.org/assurance/ID/eppn-unique-no-reassign" class="">https://refeds.org/assurance/ID/eppn-unique-no-reassign</a>",<br class=""> "<a href="https://refeds.org/assurance/ID/unique" class="">https://refeds.org/assurance/ID/unique</a>",<br class=""> "<a href="https://refeds.org/assurance/profile/cappuccino" class="">https://refeds.org/assurance/profile/cappuccino</a>"<br class=""> ],<br class=""><br class="">which is more or less what Nikhef is now producing.<br class="">Additionally we also add some information such as the IGTF assurance<br class="">profile OID (typically <a href="https://igtf.net/ap/authn-assurance/birch" class="">https://igtf.net/ap/authn-assurance/birch</a> /<br class="">urn:oid:1.2.840.113612.5.2.5.2) and authN type, e.g. something like<br class=""> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport<br class="">or<br class=""> urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient<br class="">(btw you're missing the 'assurance' part of the $PREFIX for cappuccino)<br class=""><br class="">See the OIDC core spec under IDToken, one but last claim,<br class=""><a href="https://openid.net/specs/openid-connect-core-1_0.html#IDToken" class="">https://openid.net/specs/openid-connect-core-1_0.html#IDToken</a><br class=""><br class=""> amr<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>OPTIONAL. Authentication Methods References. JSON array of<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>strings that are identifiers for authentication methods used in<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>the authentication. For instance, values might indicate that<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>both password and OTP authentication methods were used. The<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>definition of particular values to be used in the amr Claim is<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>beyond the scope of this specification. Parties using this claim<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>will need to agree upon the meanings of the values used, which<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>may be context-specific. The amr value is an array of case<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>sensitive strings.<br class=""><br class="">For your link [3], the latest version seems to be<br class="">https://wiki.refeds.org/display/CON/Consultation%3A+SAML2+and+OIDC+Mappings<br class=""><br class="">Cheers,<br class="">Mischa<br class=""><br class="">On Tue, Aug 27, 2019 at 02:09:48PM +0200, Marcus Hardt wrote:<br class=""><blockquote type="cite" class="">Hi There,<br class=""><br class="">we have a use case for using the Information of the REFEDS Assurance<br class="">Framework (RAF)[1] via OIDC.<br class=""><br class="">I.e. my home IdP issues me<br class=""><br class="">- https://refeds.org/assurance/ATP/ePA-1d<br class="">- https://refeds.org/assurance/ATP/ePA-1m<br class="">- https://refeds.org/assurance/IAP/local-enterprise<br class="">- https://refeds.org/assurance/IAP/low<br class="">- https://refeds.org/assurance/IAP/medium<br class="">- https://refeds.org/assurance/ID/eppn-unique-no-reassign<br class="">- https://refeds.org/assurance/ID/unique<br class="">- https://refeds.org/profile/cappuccino<br class=""><br class="">Question is how to get these into "OIDC"?<br class=""><br class="">Now, there is already some work done in the OIDCRE[2] group, that<br class="">resulted in this[3] google doc.<br class=""><br class="">[1]https://wiki.refeds.org/display/ASS/REFEDS+Assurance+Framework+ver+1.0<br class="">[2]https://wiki.refeds.org/display/GROUPS/OIDCre<br class="">[3]https://docs.google.com/document/d/1b-Mlet3Lq7qKLEf1BnHJ4nL1fq-vMe7fzpXyrq2wp08/edit<br class=""><br class=""><br class="">Two probelms kept us from putting this information (as a list) into<br class="">eduperson_assurance:<br class=""><br class="">1: Singlevaluedness (I'm not sure about this being so, but I was told)<br class="">2: ID Token: Assurance might rather belong into the ID Token (while from<br class=""> the research background we tend to put all into the userinfo endpoint.<br class=""><br class=""><br class="">Basically, I'm writing to find updated information, or to find a way to<br class="">close this item.<br class=""><br class=""><br class="">Cheers,<br class="">-- <br class="">Marcus.<br class=""></blockquote><br class=""><br class=""><br class=""><blockquote type="cite" class="">-- <br class="">openid-specs-rande mailing list<br class="">openid-specs-rande@lists.openid.net<br class="">http://lists.openid.net/mailman/listinfo/openid-specs-rande<br class=""></blockquote><br class=""><br class="">-- <br class="">Nikhef Room H155<br class="">Science Park 105 Tel. +31-20-592 5102<br class="">1098 XG Amsterdam Fax +31-20-592 5155<br class="">The Netherlands Email msalle@nikhef.nl<br class=""> __ .. ... _._. .... ._ ... ._ ._.. ._.. .._..<br class=""></blockquote><br class=""><br class=""><br class="">-- <br class="">Marcus.<br class="">-- <br class="">openid-specs-rande mailing list<br class=""><a href="mailto:openid-specs-rande@lists.openid.net" class="">openid-specs-rande@lists.openid.net</a> <<a href="mailto:openid-specs-rande@lists.openid.net" class="">mailto:openid-specs-rande@lists.openid.net</a>><br class=""><a href="http://lists.openid.net/mailman/listinfo/openid-specs-rande" class="">http://lists.openid.net/mailman/listinfo/openid-specs-rande</a> <<a href="http://lists.openid.net/mailman/listinfo/openid-specs-rande" class="">http://lists.openid.net/mailman/listinfo/openid-specs-rande</a>><br class=""></blockquote>- Roland<br class=""><br class="">Otium cum dignitate - latin proverb<br class=""><br class=""><br class=""><br class=""></blockquote><br class="">-- <br class="">---------------------------------------------------------------------<br class="">Wolfgang Pempe Phone : +49 30 884299-308<br class="">DFN-Verein Fax : +49 30 884299-370<br class="">Alexanderplatz 1 <a href="mailto:pempe@dfn.de" class="">E-Mail : pempe@dfn.de</a><br class="">D-10178 Berlin WWW : <a href="https://www.dfn.de" class="">https://www.dfn.de</a><br class="">---------------------------------------------------------------------<br class="">--------------------- Deutsches Forschungsnetz ----------------------<br class="">--------- Germany's National Research and Education Network ---------<br class="">---------------------------------------------------------------------<br class=""><br class=""></blockquote><br class=""><br class=""><br class=""><blockquote type="cite" class="">-- <br class="">openid-specs-rande mailing list<br class=""><a href="mailto:openid-specs-rande@lists.openid.net" class="">openid-specs-rande@lists.openid.net</a><br class="">http://lists.openid.net/mailman/listinfo/openid-specs-rande<br class=""></blockquote><br class=""><br class="">-- <br class="">Marcus.<br class=""></blockquote><br class=""><br class=""><br class=""><blockquote type="cite" class="">-- <br class="">openid-specs-rande mailing list<br class=""><a href="mailto:openid-specs-rande@lists.openid.net" class="">openid-specs-rande@lists.openid.net</a><br class="">http://lists.openid.net/mailman/listinfo/openid-specs-rande<br class=""></blockquote><br class=""><br class="">-- <br class="">Nikhef Room H155<br class="">Science Park 105 Tel. +31-20-592 5102<br class="">1098 XG Amsterdam Fax +31-20-592 5155<br class="">The Netherlands <a href="mailto:msalle@nikhef.nl" class="">Email msalle@nikhef.nl</a><br class=""> __ .. ... _._. .... ._ ... ._ ._.. ._.. .._..<br class="">-- <br class="">openid-specs-rande mailing list<br class=""><a href="mailto:openid-specs-rande@lists.openid.net" class="">openid-specs-rande@lists.openid.net</a><br class="">http://lists.openid.net/mailman/listinfo/openid-specs-rande<br class=""></div></div></blockquote></div><br class=""><div class="">
<div dir="auto" style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;">--<br class="">Nicolas Liampotis<br class="">AAI Research Engineer</div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;">GRNET - Greek Research and Technology Network<br class="">7, Kifisias Av., 115 23, Athens, Greece</div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;">k: 0xAC118B82</div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;">t: +30 210 7474264<br class="">f: +30 210 7474490</div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><br class=""></div><div style="text-align: start; text-indent: 0px;">Follow us: <a href="http://www.grnet.gr" class="">www.grnet.gr</a><div class="">Twitter: @grnet_gr | Facebook: @grnet.gr</div><div class="">LinkedIn: grnet | YouTube: GRNET EDET</div></div></div></div></div>
</div>
<br class=""></body></html>