So if this is scoped to be a registry for the values of a JWT claim then it is fine. We should discourage people from thinking that it is part of the OAuth protocol vs JWT claims.
John B. > On Jan 20, 2016, at 6:29 PM, Mike Jones <michael.jo...@microsoft.com> wrote: > > The primary purpose of the specification is to establish a registry for "amr" > JWT claim values. This is important, as it increases interoperability among > implementations using this claim. > > It's a fair question whether "requested_amr" should be kept or dropped. I > agree with John and James that it's bad architecture. I put it in the -00 > individual draft to document existing practice. I suspect that should the > draft is adopted by the working group as a starting point, one of the first > things the working group will want to decide is whether to drop it. I > suspect that I know how this will come out and I won't be sad, > architecturally, to see it go. > > As to whether this belongs in the OAuth working group, long ago it was > decided that JWT and JWT claim definitions were within scope of the OAuth > working group. That ship has long ago sailed, both in terms of RFC 7519 and > it continues to sail, for instance, in draft-ietf-oauth-proof-of-possession, > which defines a new JWT claim, and is in the RFC Editor Queue. Defining a > registry for values of the "amr" claim, which is registered in the > OAuth-established registry at http://www.iana.org/assignments/jwt, is > squarely within the OAuth WG's mission for the creation and stewardship of > JWT. > > -- Mike > > -----Original Message----- > From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of John Bradley > Sent: Wednesday, January 20, 2016 12:44 PM > To: Justin Richer <jric...@mit.edu> > Cc: <oauth@ietf.org> <oauth@ietf.org> > Subject: Re: [OAUTH-WG] Call for Adoption: Authentication Method Reference > Values > > I see your point that it is a fine line reporting how a person authenticated > to a Authorization endpoit (it might be by SAML etc) and encouraging people > to use OAuth for Authentication. > > We already have the amr response in connect. The only thing really missing > is a registry. Unless this is a sneaky way to get requested_amr into Connect? > > John B. >> On Jan 20, 2016, at 5:37 PM, Justin Richer <jric...@mit.edu> wrote: >> >> Just reiterating my stance that this document detailing user authentication >> methods has no place in the OAuth working group. >> >> — Justin >> >>> On Jan 19, 2016, at 6:48 AM, Hannes Tschofenig <hannes.tschofe...@gmx.net> >>> wrote: >>> >>> Hi all, >>> >>> this is the call for adoption of Authentication Method Reference >>> Values, see >>> https://tools.ietf.org/html/draft-jones-oauth-amr-values-03 >>> >>> Please let us know by Feb 2nd whether you accept / object to the >>> adoption of this document as a starting point for work in the OAuth >>> working group. >>> >>> Note: The feedback during the Yokohama meeting was inconclusive, >>> namely >>> 9 for / zero against / 6 persons need more information. >>> >>> You feedback will therefore be important to find out whether we >>> should do this work in the OAuth working group. >>> >>> Ciao >>> Hannes & Derek >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
