The IESG has approved the following document: - 'OAuth 2.0 Step-up Authentication Challenge Protocol' (draft-ietf-oauth-step-up-authn-challenge-17.txt) as Proposed Standard
This document is the product of the Web Authorization Protocol Working Group. The IESG contact persons are Paul Wouters and Roman Danyliw. A URL of this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn-challenge/ Technical Summary It is not uncommon for resource servers to require different authentication strengths or recentness according to the characteristics of a request. This document introduces a mechanism for a resource server to signal to a client that the authentication event associated with the access token of the current request does not meet its authentication requirements and specify how to meet them. This document also codifies a mechanism for a client to request that an authorization server achieve a specific authentication strength or recentness when processing an authorization request. Working Group Summary There was WG consensus to publish this document and no noteworthy controversy. Document Quality 1. Ping Identity Has implementations of the functionality in this document for the authorization server and resource server roles. https://docs.pingidentity.com/r/en-us/pingaccess-71/mhu1564006734179 https://docs.pingidentity.com/r/en-us/pingfederate-112/pf_authoriz_endpoint 2. Authlete Authlete 2.3, which is planned to be released next month (January 2023), supports OAuth 2.0 Step-up Authentication Challenge Protocol. https://www.authlete.com/developers/stepup_authn/ 3. HelseID is planning to implement this: https://helseid.atlassian.net/wiki/spaces/HELSEID/pages/493256708/How+to+do+a+step-up+of+the+authentication+level+of+a+user#Step-up-for-APIs 4. Apache HTTPd The plan is to add support to the next release of mod_oauth2, an Apache HTTPd module. https://github.com/zmartzone/mod_oauth2/blob/master/README.md 5. Duende The current version of Duende IdentityServer supports everything included in this proposal, except for the new unmet_authentication_requirement error which has been added for v6.3.0 being released this summer. https://duendesoftware.com/ Personnel - Document Shepherd: Rifaat Shekh-Yusef - Responsible AD: Roman Danyliw _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
