M. Jones | |
Microsoft | |
October 13, 2021 |
OpenID Connect Extended Authentication Profile (EAP) ACR Values 1.0 - draft 01
openid-connect-eap-acr-values-1_0
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
This specification enables OpenID Connect Relying Parties to request that specific authentication context classes be applied to authentications performed and for OpenID Providers to inform Relying Parties whether these requests were satisfied. Specifically, an authentication context class reference value is defined that requests that phishing-resistant authentication be performed and another is defined that requests that phishing-resistant authentication with a hardware-protected key be performed. These policies can be satisfied, for instance, by using W3C scoped credentials or FIDO authenticators.
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 [RFC6749] protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
This specification enables OpenID Connect [OpenID.Core] Relying Parties to request that specific authentication context classes be applied to authentications performed and for OpenID Providers to inform Relying Parties whether these requests were satisfied. Specifically, an authentication context class reference value is defined that requests that phishing-resistant authentication be performed and another is defined that requests that phishing-resistant authentication with a hardware-protected key be performed. These policies can be satisfied, for instance, by using W3C scoped credentials [W3C.REC-webauthn-2-20210408] or FIDO authenticators [FIDO.v2.1-ps-20210615].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.
In the .txt version of this specification, values are quoted to indicate that they are to be taken literally. When using these values in protocol messages, the quotes MUST NOT be used as part of the value. In the HTML version of this specification, values to be taken literally are indicated by the use of this fixed-width font.
This specification uses the terms defined by OpenID Connect Core 1.0.
The acr (Authentication Context Class Reference) claim and associated acr_values request parameter are defined by the OpenID Connect Core 1.0 specification [OpenID.Core]. The following Authentication Context Class Reference values are defined by this specification:
The IANA "Authentication Method Reference Values" registry [IANA.AMR] established by [RFC8176] contains Authentication Method Reference values to use in the amr (Authentication Methods References) claim [OpenID.Core]. The following Authentication Method Reference value is defined by this specification:
Per commonly accepted security practices, it should be noted that the overall strength of any authentication is only as strong as its weakest step. It is thus recommended that provisioning of phishing-resistant and other credentials stronger than shared secrets should be accomplished using methods that are at least as strong as the credential being provisioned. By counter-example, allowing people to retrieve a phishing-resistant credential using only a phishable shared secret negates much of the value provided by the phishing-resistant credential itself. Similarly, sometimes using a phishing-resistant method when a phishable method continues to also sometimes be employed may still enable phishing attacks to compromise the authentication.
This specification registers the following values in the IANA "Level of Assurance (LoA) Profiles" registry [IANA.LoA] established by [RFC6711]:
This specification registers the following value in the IANA "Authentication Method Reference Values" registry [IANA.AMR] established by [RFC8176]:
[IANA.AMR] | IANA, "Authentication Method Reference Values" |
[IANA.LoA] | IANA, "Level of Assurance (LoA) Profiles" |
[OpenID.Core] | Sakimura, N., Bradley, J., Jones, M., de Medeiros, B. and C. Mortimore, "OpenID Connect Core 1.0", November 2014. |
[RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997. |
[RFC6711] | Johansson, L., "An IANA Registry for Level of Assurance (LoA) Profiles", RFC 6711, DOI 10.17487/RFC6711, August 2012. |
[RFC6749] | Hardt, D., "The OAuth 2.0 Authorization Framework", RFC 6749, DOI 10.17487/RFC6749, October 2012. |
[RFC8176] | Jones, M., Hunt, P. and A. Nadalin, "Authentication Method Reference Values", RFC 8176, DOI 10.17487/RFC8176, June 2017. |
[FIDO.v2.1-ps-20210615] | Bradley, J., Hodges, J., Jones, M., Kumar, A., Lindemann, R. and J. Verrept, "Client to Authenticator Protocol (CTAP)", FIDO Alliance Proposed Standard v2.1-ps-20210615, June 2021. |
[OpenID.PAPE] | Recordon, D., Jones, M., Bufu, J., Daugherty, J. and N. Sakimura, "OpenID Provider Authentication Policy Extension 1.0", December 2008. |
[W3C.REC-webauthn-2-20210408] | Hodges, J., Jones, J., Jones, M., Kumar, A. and E. Lundberg, "Web Authentication: An API for accessing Public Key Credentials Level 2", World Wide Web Consortium Recommendation REC-webauthn-2-20210408, April 2021. |
The phishing-resistant authentication definition is a result of earlier work done by the OpenID Provider Authentication Policy Extension (PAPE) working group. Christiaan Brand suggested creation and registration of the pop ACR value.
Copyright (c) 2021 The OpenID Foundation.
The OpenID Foundation (OIDF) grants to any Contributor, developer, implementer, or other interested party a non-exclusive, royalty free, worldwide copyright license to reproduce, prepare derivative works from, distribute, perform and display, this Implementers Draft or Final Specification solely for the purposes of (i) developing specifications, and (ii) implementing Implementers Drafts and Final Specifications based on such documents, provided that attribution be made to the OIDF as the source of the material, but that such attribution does not indicate an endorsement by the OIDF.
The technology described in this specification was made available from contributions from various sources, including members of the OpenID Foundation and others. Although the OpenID Foundation has taken steps to help ensure that the technology is available for distribution, it takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this specification or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any independent effort to identify any such rights. The OpenID Foundation and the contributors to this specification make no (and hereby expressly disclaim any) warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to this specification, and the entire risk as to implementing this specification is assumed by the implementer. The OpenID Intellectual Property Rights policy requires contributors to offer a patent promise not to assert certain patent claims against other contributors and against implementers. The OpenID Foundation invites any interested party to bring to its attention any copyrights, patents, patent applications, or other proprietary rights that may cover technology that may be required to practice this specification.
[[ To be removed from the final specification ]]
-01
-00