OpenID Connect EAP ACR Values 1.0 March 2025
Jones Standards Track [Page]
Workgroup:
OpenID Extended Authentication Profile (EAP) Working Group
Published:
Author:
M.B. Jones
Self-Issued Consulting

OpenID Connect Extended Authentication Profile (EAP) ACR Values 1.0 - draft 02

Abstract

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.

This specification enables OpenID Connect Relying Parties to request that specific authentication context classes be applied to authentications performed and for OpenID Providers to inform Relying Parties whether these requests were satisfied. Specifically, an authentication context class reference value is defined that requests that phishing-resistant authentication be performed and another is defined that requests that phishing-resistant authentication with a hardware-protected key be performed. These policies can be satisfied, for instance, by using W3C scoped credentials or FIDO authenticators.

Table of Contents

1. Introduction

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 [RFC6749] protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.

This specification enables OpenID Connect [OpenID.Core] Relying Parties to request that specific authentication context classes be applied to authentications performed and for OpenID Providers to inform Relying Parties whether these requests were satisfied. Specifically, an authentication context class reference value is defined that requests that phishing-resistant authentication be performed and another is defined that requests that phishing-resistant authentication with a hardware-protected key be performed. These policies can be satisfied, for instance, by using W3C scoped credentials [W3C.WebAuthn] or FIDO authenticators [FIDO.CTAP].

1.1. Requirements Notation and Conventions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174].

1.2. Terminology

This specification uses the terms defined by OpenID Connect Core 1.0 [OpenID.Core].

2. Authentication Context Class Reference Values

The acr (Authentication Context Class Reference) claim and associated acr_values request parameter are defined by the OpenID Connect Core 1.0 specification [OpenID.Core]. The following Authentication Context Class Reference values are defined by this specification:

phr
Phishing-Resistant. An authentication mechanism where a party potentially under the control of the Relying Party cannot gain sufficient information to be able to successfully authenticate to the End User's OpenID Provider as if that party were the End User. (Note that the potentially malicious Relying Party controls where the User-Agent is redirected to and thus may not send it to the End User's actual OpenID Provider). NOTE: These semantics are the same as those specified in [OpenID.PAPE].
phrh
Phishing-Resistant Hardware-Protected. An authentication mechanism meeting the requirements for phishing-resistant authentication above in which additionally information needed to be able to successfully authenticate to the End User's OpenID Provider as if that party were the End User is held in a hardware-protected device or component.

3. Authentication Method Reference Value

The IANA "Authentication Method Reference Values" registry [IANA.AMR] established by [RFC8176] contains Authentication Method Reference values to use in the amr (Authentication Methods References) claim [OpenID.Core]. The following Authentication Method Reference value is defined by this specification:

pop
Proof-of-possession of a key. Unlike the existing hwk and swk methods, it is unspecified whether the proof-of-possession key is hardware-secured or software-secured.

4. Security Considerations

Per commonly accepted security practices, it should be noted that the overall strength of any authentication is only as strong as its weakest step. It is thus recommended that provisioning of phishing-resistant and other credentials stronger than shared secrets should be accomplished using methods that are at least as strong as the credential being provisioned. By counter-example, allowing people to retrieve a phishing-resistant credential using only a phishable shared secret negates much of the value provided by the phishing-resistant credential itself. Similarly, sometimes using a phishing-resistant method when a phishable method continues to also sometimes be employed may still enable phishing attacks to compromise the authentication.

5. IANA Considerations

5.1. Level of Assurance Profiles Registration

This specification registers the following values in the IANA "Level of Assurance (LoA) Profiles" registry [IANA.LoA] established by [RFC6711]:

5.1.1. Registry Contents

  • URI: http://schemas.openid.net/pape/policies/2007/06/phishing-resistant

  • Name: phr

  • Informational URI: Section 2 of this specification

  • Reference: michael_b_jones@hotmail.com

  • Context Class: phishing-resistant.xsd

  • URI: http://schemas.openid.net/acr/2016/07/phishing-resistant-hardware

  • Name: phrh

  • Informational URI: Section 2 of this specification

  • Reference: michael_b_jones@hotmail.com

  • Context Class: phishing-resistant-hardware.xsd

5.2. Authentication Method Reference Values Registration

This specification registers the following value in the IANA "Authentication Method Reference Values" registry [IANA.AMR] established by [RFC8176]:

5.2.1. Registry Contents

  • Authentication Method Reference Name: pop

  • Authentication Method Reference Description: Proof-of-possession of a key

  • Change Controller: OpenID Foundation Enhanced Authentication Profile Working Group - openid-specs-eap@lists.openid.net

  • Specification Document(s): Section 3 of this specification

6. References

6.1. Normative References

[OpenID.Core]
Sakimura, N., Bradley, J., Jones, M.B., de Medeiros, B., and C. Mortimore, "OpenID Connect Core 1.0", , <https://openid.net/specs/openid-connect-core-1_0.html>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC6749]
Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", RFC 6749, DOI 10.17487/RFC6749, , <https://www.rfc-editor.org/info/rfc6749>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/info/rfc8174>.

6.2. Informative References

[FIDO.CTAP]
Bradley, J., Jones, M.B., Kumar, A., Lindemann, R., Verrept, J., and D. Waite, "Client to Authenticator Protocol (CTAP)", FIDO Alliance Proposed Standard v2.2-ps-20250228, , <https://fidoalliance.org/specs/fido-v2.2-ps-20250228/fido-client-to-authenticator-protocol-v2.2-ps-20250228.html>.
[IANA.AMR]
IANA, "Authentication Method Reference Values", <https://www.iana.org/assignments/authentication-method-reference-values>.
[IANA.LoA]
IANA, "Level of Assurance (LoA) Profiles", <https://www.iana.org/assignments/loa-profiles>.
[OpenID.PAPE]
Recordon, D.R., Jones, M.J., Bufu, J.B., Ed., Daugherty, J.D., Ed., and N.S. Sakimura, "OpenID Provider Authentication Policy Extension 1.0", , <https://openid.net/specs/openid-provider-authentication-policy-extension-1_0.html>.
[RFC6711]
Johansson, L., "An IANA Registry for Level of Assurance (LoA) Profiles", RFC 6711, DOI 10.17487/RFC6711, , <https://www.rfc-editor.org/info/rfc6711>.
[RFC8176]
Jones, M., Hunt, P., and A. Nadalin, "Authentication Method Reference Values", RFC 8176, DOI 10.17487/RFC8176, , <https://www.rfc-editor.org/info/rfc8176>.
[W3C.WebAuthn]
Hodges, J., Jones, J.C., Jones, M.B., Kumar, A., and E. Lundberg, "Web Authentication: An API for accessing Public Key Credentials Level 2", World Wide Web Consortium Recommendation REC-webauthn-2-20210408, , <https://www.w3.org/TR/2021/REC-webauthn-2-20210408/>.

Appendix A. Acknowledgements

The phishing-resistant authentication definition is a result of earlier work done by the OpenID Provider Authentication Policy Extension (PAPE) working group. Christiaan Brand suggested creation and registration of the pop ACR value. Leif Johansson helped with the Level of Assurance Profiles registrations.

Appendix B. Notices

Copyright (c) 2025 The OpenID Foundation.

The OpenID Foundation (OIDF) grants to any Contributor, developer, implementer, or other interested party a non-exclusive, royalty free, worldwide copyright license to reproduce, prepare derivative works from, distribute, perform and display, this Implementers Draft, Final Specification, or Final Specification Incorporating Errata Corrections solely for the purposes of (i) developing specifications, and (ii) implementing Implementers Drafts, Final Specifications, and Final Specification Incorporating Errata Corrections based on such documents, provided that attribution be made to the OIDF as the source of the material, but that such attribution does not indicate an endorsement by the OIDF.

The technology described in this specification was made available from contributions from various sources, including members of the OpenID Foundation and others. Although the OpenID Foundation has taken steps to help ensure that the technology is available for distribution, it takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this specification or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any independent effort to identify any such rights. The OpenID Foundation and the contributors to this specification make no (and hereby expressly disclaim any) warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to this specification, and the entire risk as to implementing this specification is assumed by the implementer. The OpenID Intellectual Property Rights policy (found at openid.net) requires contributors to offer a patent promise not to assert certain patent claims against other contributors and against implementers. OpenID invites any interested party to bring to its attention any copyrights, patents, patent applications, or other proprietary rights that may cover technology that may be required to practice this specification.

Appendix C. Document History

[[ To be removed from the final specification ]]

-02

-01

-00

Author's Address

Michael B. Jones
Self-Issued Consulting
URI: https://self-issued.info/