The primary purpose of the specification is to establish a registry for "amr" JWT claim values. This is important, as it increases interoperability among implementations using this claim.
It's a fair question whether "requested_amr" should be kept or dropped. I agree with John and James that it's bad architecture. I put it in the -00 individual draft to document existing practice. I suspect that should the draft is adopted by the working group as a starting point, one of the first things the working group will want to decide is whether to drop it. I suspect that I know how this will come out and I won't be sad, architecturally, to see it go. As to whether this belongs in the OAuth working group, long ago it was decided that JWT and JWT claim definitions were within scope of the OAuth working group. That ship has long ago sailed, both in terms of RFC 7519 and it continues to sail, for instance, in draft-ietf-oauth-proof-of-possession, which defines a new JWT claim, and is in the RFC Editor Queue. Defining a registry for values of the "amr" claim, which is registered in the OAuth-established registry at http://www.iana.org/assignments/jwt, is squarely within the OAuth WG's mission for the creation and stewardship of JWT. -- Mike -----Original Message----- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of John Bradley Sent: Wednesday, January 20, 2016 12:44 PM To: Justin Richer <jric...@mit.edu> Cc: <oauth@ietf.org> <oauth@ietf.org> Subject: Re: [OAUTH-WG] Call for Adoption: Authentication Method Reference Values I see your point that it is a fine line reporting how a person authenticated to a Authorization endpoit (it might be by SAML etc) and encouraging people to use OAuth for Authentication. We already have the amr response in connect. The only thing really missing is a registry. Unless this is a sneaky way to get requested_amr into Connect? John B. > On Jan 20, 2016, at 5:37 PM, Justin Richer <jric...@mit.edu> wrote: > > Just reiterating my stance that this document detailing user authentication > methods has no place in the OAuth working group. > > — Justin > >> On Jan 19, 2016, at 6:48 AM, Hannes Tschofenig <hannes.tschofe...@gmx.net> >> wrote: >> >> Hi all, >> >> this is the call for adoption of Authentication Method Reference >> Values, see >> https://tools.ietf.org/html/draft-jones-oauth-amr-values-03 >> >> Please let us know by Feb 2nd whether you accept / object to the >> adoption of this document as a starting point for work in the OAuth >> working group. >> >> Note: The feedback during the Yokohama meeting was inconclusive, >> namely >> 9 for / zero against / 6 persons need more information. >> >> You feedback will therefore be important to find out whether we >> should do this work in the OAuth working group. >> >> Ciao >> Hannes & Derek >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
