Re: [OAUTH-WG] Authentication Method Reference Values is now RFC 8176

Thank you Mike! Phil > On Jun 16, 2017, at 5:50 PM, Mike Jones wrote: > > The Authentication Method Reference Values specification is now RFC 8176. > The abstract describes the specification as: > > The amr (Authentication Methods References) claim is defined and registered > in the IANA "

[OAUTH-WG] Authentication Method Reference Values is now RFC 8176

The Authentication Method Reference Values specification is now RFC 8176. The abstract describes the specification as: The amr (Authentication Methods References) claim is defined and registered in the IANA "JSON Web Token Claims" registry, but no st

Re: [OAUTH-WG] Authentication Method Reference Values Document: IPR Confirmation

I’m not aware of any IPR From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Phil Hunt (IDM) Sent: Tuesday, September 20, 2016 8:54 PM To: Mike Jones Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Authentication Method Reference Values Document: IPR Confirmation I am aware of no IPR. Phil

Re: [OAUTH-WG] Authentication Method Reference Values Document: IPR Confirmation

Sent: Monday, September 19, 2016 2:21 AM > To: oauth@ietf.org > Subject: [OAUTH-WG] Authentication Method Reference Values Document: IPR > Confirmation > > Hi Mike, Phil, Tony, > > > I am working on the shepherd writeup for the AMR document: > https://tools.ietf.org/ht

Re: [OAUTH-WG] Authentication Method Reference Values Document: IPR Confirmation

I am aware of no IPR on this specification. -- Mike -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Monday, September 19, 2016 2:21 AM To: oauth@ietf.org Subject: [OAUTH-WG] Authentication Method

[OAUTH-WG] Authentication Method Reference Values Document: IPR Confirmation

Hi Mike, Phil, Tony, I am working on the shepherd writeup for the AMR document: https://tools.ietf.org/html/draft-ietf-oauth-amr-values-02 One item in the template requires me to indicate whether each document author has confirmed that any and all appropriate IPR disclosures required for full c

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

t;> Google is already using some of these values. Microsoft is using some of >>>>>> them. The OpenID MODRNA specs are using some of them. So it seems more >>>>>> efficient to register them at the same time. >>>>>> >>>>>> T

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

>>> That would be my preference. >>> >> >> +1, it is also my preference to register the current values. >> >> I don't see any harm in the spec that establishes the registry also >> seeding it with all known values in use at the time of drafting

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

g some of >>>>>> them. The OpenID MODRNA specs are using some of them. So it seems more >>>>>> efficient to register them at the same time. >>>>>> >>>>>> That would be my preference. >>>>> >>>>> +1, it i

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

OpenID MODRNA specs are using some of them. So it seems more efficient to >>>>> register them at the same time. >>>>> >>>>> That would be my preference. >>>> >>>> +1, it is also my preference to register the current values.

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

er >>> them at the same time. >>> >>> That would be my preference. >>> >>> +1, it is also my preference to register the current values. >>> >>> I don't see any harm in the spec that establishes the registry also seeding >>&

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

es. >>> >>> I don't see any harm in the spec that establishes the registry also seeding >>> it with all known values in use at the time of drafting, regardless of the >>> group that originally specified them. Makes the original spec more useful, >&

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

I meant William - sorry! Originalnachricht Betreff: Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized Von: Torsten Lodderstedt An: William Denniss ,Mike Jones Cc: "" >Hi Denniss, > >out of curiosity: Does Google use

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

11:11 AM To: Phil Hunt <mailto:phil.h...@oracle.com> Cc: <mailto:oauth@ietf.org> Subject: Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized Can we just do that, then? Seems to be the easiest way to address various needs and concern

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

Le dim. 14 févr. 2016 02:40, William Denniss a écrit : > On Sat, Feb 13, 2016 at 12:19 PM, Mike Jones > wrote: > >> It's an acceptable fallback option if the working group decides it >> doesn't want to register the values that are already in production use at >> the time we establish the registr

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

ld be my preference. > > -- Mike > From: Justin Richer <mailto:jric...@mit.edu> > Sent: ‎2/‎13/‎2016 11:11 AM > To: Phil Hunt <mailto:phil.h...@oracle.com> > Cc: <mailto:oauth@ietf.org> > Subject: Re: [OAUTH-WG] Authentication Method Reference Values: Call for &

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

h...@oracle.com> Cc: <mailto:oauth@ietf.org> Subject: Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized Can we just do that, then? Seems to be the easiest way to address various needs and concerns. — Justin On Feb 13, 2016, at 11:08 AM, Phil Hunt (IDM) mailto:

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

@lodderstedt.net>" <mailto:tors...@lodderstedt.net>> wrote: > >> So basically, the RFC could also just establish the new registry and oidf >> could feel in the values? >> >> (just trying to understand) >> >> >> >> Or

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

e > of doing this. > > > > -- Mike > > > > From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of > tors...@lodderstedt.net > Sent: Saturday, February 13, 2016 6:37 AM > To: John Bradley > Cc: oauth@ie

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

So basically, the RFC could also just establish the new registry and oidf could feel in the values? (just trying to understand) Originalnachricht Betreff: RE: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized Von: Mike Jones An: tors

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

uth in this spec. > > Right now, I think it creates the impression oauth is for authentication. > > > > Originalnachricht > Betreff: Re: [OAUTH-WG] Authentication Method Reference Values: Call for > Adoption Finalized > Von: John Bradley > An: tors.

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

one example of doing this. -- Mike From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of tors...@lodderstedt.net Sent: Saturday, February 13, 2016 6:37 AM To: John Bradley Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Authentication

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

. (2) amr is of any use in oauth (although it has been invented in oidc) - than define it and motivate it's use in oauth in this spec. Right now, I think it creates the impression oauth is for authentication. Originalnachricht Betreff: Re: [OAUTH-WG] Authentication M

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

rds, > Torsten. > > > > Ursprüngliche Nachricht > Von: Roland Hedberg > Gesendet: Friday, February 12, 2016 05:45 PM > An: oauth@ietf.org > Betreff: Re: [OAUTH-WG] Authentication Method Reference Values: Call for > Adoption Finalized > > +1

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

, February 12, 2016 05:45 PM An: oauth@ietf.org Betreff: Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized >+1 > >> 12 feb 2016 kl. 16:58 skrev John Bradley : >> >> +1 to adopt this draft. >> >>> On Feb 12, 2016, at 3:07 AM

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

-- Mike >> >> -Original Message- >> From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig >> Sent: Thursday, February 4, 2016 11:23 AM >> To: oauth@ietf.org >> Subject: [OAUTH-WG] Authentication Method

Re: [OAUTH-WG] Authentication Method Reference Values spec incorporating adoption feedback

12, 2016 12:32 AM To: Mike Jones ; oauth@ietf.org Subject: Re: [OAUTH-WG] Authentication Method Reference Values spec incorporating adoption feedback So, you just removed every relationship to OAuth (and the note about OAuth and authentication seems a bit out of context), and I thus wonder why

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

-- Mike >   <> > -Original Message- > From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig > Sent: Thursday, February 4, 2016 11:23 AM > To: oauth@ietf.org > Subject: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption > Finalized

Re: [OAUTH-WG] Authentication Method Reference Values spec incorporating adoption feedback

So, you just removed every relationship to OAuth (and the note about OAuth and authentication seems a bit out of context), and I thus wonder why the OAuth WG would adopt this draft; that'd rather be a JOSE thing. Le ven. 12 févr. 2016 07:03, Mike Jones a écrit : > This draft of the Authenticatio

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

@ietf.org] On Behalf Of Hannes Tschofenig > Sent: Thursday, February 4, 2016 11:23 AM > To: oauth@ietf.org > Subject: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption > Finalized > > Hi all, > > On January 19th I posted a call for adoption of the Aut

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

February 4, 2016 11:23 AM To: oauth@ietf.org Subject: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized Hi all, On January 19th I posted a call for adoption of the Authentication Method Reference Values specification, see http://www.ietf.org/mail-archive/web/oa

[OAUTH-WG] Authentication Method Reference Values spec incorporating adoption feedback

This draft of the Authentication Method Reference Values specification incorporates OAuth working group feedback from the call for adoption. The primary change was to remove the "amr_values" request parameter, so that "amr" values can still be returned as part of an authentication result, but c

[OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

Hi all, On January 19th I posted a call for adoption of the Authentication Method Reference Values specification, see http://www.ietf.org/mail-archive/web/oauth/current/msg15402.html What surprised us is that this work is conceptually very simple: we define new claims and create a registry with n

[OAUTH-WG] Authentication Method Reference Values coordination with OpenID MODRNA

Authentication Method Reference Values draft -04 added the values "face" (facial recognition), "geo" (geolocation), "hwk" (proof-of-possession of a hardware-secured key), "pin" (Personal Identification Number or pattern), and "swk" (proof-of-possession of a software-secured key), and removed the

[OAUTH-WG] Authentication Method Reference Values Registration Instructions

Authentication Method Reference Values draft -03 adds the criterion to the IANA registration instructions that the value being registered be in actual use. The specification is available at: * http://tools.ietf.org/html/draft-jones-oauth-amr-values-03 An HTML formatted version is also a

Re: [OAUTH-WG] Authentication Method Reference Values Specification

Jones; William Denniss; Subject: Re: [OAUTH-WG] Authentication Method Reference Values Specification I am in favor of William's proposal. In addition, I would like to see one for 2nd channel auth, 2ch. That would indicate some resilience against MITB. On Saturday, July 25, 2015, Brian Cam

Re: [OAUTH-WG] Authentication Method Reference Values Specification

To: Mike Jones Cc: Nat Sakimura; William Denniss; Subject: Re: [OAUTH-WG] Authentication Method Reference Values Specification There's a method of authentication that is gaining in popularity which I'd propose adding a method for. It is typically used as a second factor where after a pr

Re: [OAUTH-WG] Authentication Method Reference Values Specification

23, 2015 6:22 PM To: William Denniss Cc: Subject: Re: [OAUTH-WG] Authentication Method Reference Values Specification So, allow me a naive question. I supppose there are good random otp, as well as pretty bad otp etc. Would it be useful to say just "otp". Would it not be better to have at

Re: [OAUTH-WG] Authentication Method Reference Values Specification

at present. Thus, I’ve left it in the spec at present. -- Mike From: William Denniss [mailto:wdenn...@google.com] Sent: Thursday, July 23, 2015 6:05 AM To: Brian Campbell Cc: Mike Jones; Subject: Re: [OAUTH-WG] Authentication Method

Re: [OAUTH-WG] Authentication Method Reference Values Specification

t;> developers who actually wanted this for a particular purpose but I’ll have >> to get back to the WG on that. It’s defined here, rather than in another >> spec, because it’s highly related to the “amr” values. >> >> >> >> -- Mike >&

Re: [OAUTH-WG] Authentication Method Reference Values Specification

to the WG on that. It’s defined here, rather than in another > spec, because it’s highly related to the “amr” values. > > > > -- Mike > > > > *From:* OAuth [mailto:oauth-boun...@ietf.org] *On Behalf Of *Nat Sakimu

Re: [OAUTH-WG] Authentication Method Reference Values Specification

is a start at that. -- Mike From: John Bradley [mailto:ve7...@ve7jtb.com<mailto:ve7...@ve7jtb.com>] Sent: Thursday, July 23, 2015 9:30 AM To: Justin Richer Cc: Mike Jones; mailto:oauth@ietf.org>> Subject: Re: [OAUTH-WG] A

Re: [OAUTH-WG] Authentication Method Reference Values Specification

r” is preferable. The text at >>> http://self-issued.info/docs/draft-jones-oauth-amr-values-00.html#acrRelationship >>> is a start at that. >>> >>> >>> >>> -- Mike >>> >&

Re: [OAUTH-WG] Authentication Method Reference Values Specification

I do tend to agree John that clients shouldn't be able to force the sp on choices. My thought was that it was useful to have a registry so we can have standard auth method values for protocols that get written like oidc. It may be useful elsewhere. Anyway as a general rule I think it is som

Re: [OAUTH-WG] Authentication Method Reference Values Specification

draft-jones-oauth-amr-values-00.html#acrRelationship > is a start at that. > > > > -- Mike > > > > *From:* John Bradley [mailto:ve7...@ve7jtb.com] > *Sent:* Thursday, July 23, 2015 9:30 AM > *To:*

Re: [OAUTH-WG] Authentication Method Reference Values Specification

that. -- Mike From: John Bradley [mailto:ve7...@ve7jtb.com] Sent: Thursday, July 23, 2015 9:30 AM To: Justin Richer Cc: Mike Jones; Subject: Re: [OAUTH-WG] Authentication Method Reference Values Specification I don’t personally have a

Re: [OAUTH-WG] Authentication Method Reference Values Specification

I don’t personally have a problem with people defining values for AMR and creating a IANA registry. That exists for ACR. I am on record as not supporting clients requesting amr as it ai a bad idea and the spec mentions that at the same time it defines a new request parameter for it. It is pr

Re: [OAUTH-WG] Authentication Method Reference Values Specification

Useful work, but shouldn’t this be defined in the OIDF, where the “amr" parameter is defined? — Justin > On Jul 22, 2015, at 7:48 PM, Mike Jones wrote: > > Phil Hunt and I have posted a new draft that defines some values used with > the “amr” (Authentication Methods References) claim and est

[OAUTH-WG] Authentication Method Reference Values Specification

Phil Hunt and I have posted a new draft that defines some values used with the "amr" (Authentication Methods References) claim and establishes a registry for Authentication Method Reference values. These values include commonly used authentication methods like "pwd" (password) and "otp" (one ti

Re: [OAUTH-WG] Authentication

As John points out, that could be either resource owner or client credentials flow, depending on the use case. -- Justin On Sep 4, 2014, at 11:43 AM, Sergey Beryozkin wrote: > Hi Justin > > > On 04/09/14 13:15, Richer, Justin P. wrote: >> Neither of these are authentication (they don't tell

Re: [OAUTH-WG] Authentication

Hi Justin On 04/09/14 13:15, Richer, Justin P. wrote: Neither of these are authentication (they don't tell the client or business logic server who the user is or if they're still there), they're authorization and they're both well within the scope of OAuth. The first one is a redirect flow,

Re: [OAUTH-WG] Authentication

Neither of these are authentication (they don't tell the client or business logic server who the user is or if they're still there), they're authorization and they're both well within the scope of OAuth. The first one is a redirect flow, that actually works (in OAuth) like this: 1) Clients ca

Re: [OAUTH-WG] Authentication

Inline On Sep 4, 2014, at 11:30 AM, Frizz wrote: > Hello there, > > I have a question regarding Authentication: > > The following two scenarios, are they typical use cases for OAuth? Or > OpenId-Connect? Or something completely different? > > Flow (A) would be like this: > (1) Client calls Bu

[OAUTH-WG] Authentication

Hello there, I have a question regarding Authentication: The following two scenarios, are they typical use cases for OAuth? Or OpenId-Connect? Or something completely different? Flow (A) would be like this: (1) Client calls Business Logic Server (2) Server detects there’s no Access Token in HTTP

Re: [OAUTH-WG] Authentication Methods

That probably depends on what authentication you are asking about. Authentication of the client to the protected resource has two profiles MAC & Bearer. Authentication of the client to the Token Endpoint has an example in the OAuth spec using client_id and a symmetric secret. That is extensible

Re: [OAUTH-WG] Authentication Methods

Please clarify what you're asking, if you would: There are two kinds of authentication which happen with OAuth: client authentication and user authentication, and neither of which are standardized on two-way TLS. Client authentication happens at the token endpoint and is described in section 2.3,

[OAUTH-WG] Authentication Methods

What are some common or suggested authentication methods that are used in conjunction with OAuth 2.0? Is TLS/SSL the only standard one or do people normally roll their own authentication within OAuth's flows? Elliot Cameron Covenant Eyes Software Developer elliot.came...@covenanteyes.com

Re: [OAUTH-WG] Authentication-Info Header

On 2010/01/21 3:17, Eran Hammer-Lahav wrote: > I am not aware of other authentication schemes using this header > than Digest, and since Digest limits the allowed values, extending > this header field to mean *any* status information (not just > successful) should not break or chang

Re: [OAUTH-WG] Authentication-Info Header

Eran Hammer-Lahav wrote: Any comments? Suggestions? Sorry for the delay. It was on my TODO list, but that list got too long. EHL On 12/4/09 9:19 AM, "Eran Hammer-Lahav" wrote: The Authentication-Info header should be added to draft-ietf-httpbis-p7-auth to provide a complete list o

Re: [OAUTH-WG] Authentication-Info Header

Eran Hammer-Lahav wrote: Any comments? Suggestions? Hi Eran, Speaking as an individual contributor: EHL On 12/4/09 9:19 AM, "Eran Hammer-Lahav" wrote: The Authentication-Info header should be added to draft-ietf-httpbis-p7-auth to provide a complete list of all the defined aut

Re: [OAUTH-WG] Authentication-Info Header

Any comments? Suggestions? EHL On 12/4/09 9:19 AM, "Eran Hammer-Lahav" wrote: The Authentication-Info header should be added to draft-ietf-httpbis-p7-auth to provide a complete list of all the defined authentication headers. It should generalize the definition to make it useful for new authe