Support amr claim.

[christiansmith]

When ID Tokens are issued they should optionally include the amr claim. This claim represents the authentication methods used to sign in the user. There's an IETF draft Authentication Method Reference Values that defines an initial set of values.

@topperge For our use case, some clients might deny access if a user didn't provide a high enough authentication, or ask the server to step up auth if too low
The second is more advanced later on
You can look at your balance with password, but we want SMS or MFA if you are about to transfer money

The values for the claim could be defined in provider configuration. We could keep track on req.session of which methods are active for a given session. These should potentially have different TTLs, etc.

[adalinesimonian]

If I understand the suggestions correctly:

amr values

• pwd - Local/password authentication strategy
• otp - HOTP/TOTP, SMS tokens, E-mail-only authentication, anything which uses disposable tokens
• pop - Key-based auth, ala using keys for authenticating SSH connections
• kba - Security questions, personalized secret pictures/info for sign-in screen
• sms - User replies to an SMS notification to confirm authentication request
• tel - User answers phone call to confirm authentication request
• wia - Windows Integrated Authentication (not AD, but Kerberos?)
• fpt - Fingerprints
• eye - Retina scan
• vbm - Voice biometric

[adalinesimonian]

When using two-factor authentication with a Microsoft account and the Microsoft authenticator app, Microsoft's servers will push a notification to the app on a sign-in attempt. The app then has two options: authorize the request or deny it.

In this case, this isn't otp. But, neither is it sms or tel, because there's no phone call or SMS message involved. Where does it fit?

[topperge]

So, in digging some more, it might be smart to do both acr and amr at the same time. In many cases they are related within the process. For our use case we only have one authenticating authority so we don't care about acr, but I see the use case for others.

acr
OPTIONAL. Authentication Context Class Reference. String specifying an Authentication Context Class Reference value that identifies the Authentication Context Class that the authentication performed satisfied. The value "0" indicates the End-User authentication did not meet the requirements of ISO/IEC 29115 [ISO29115] level 1. Authentication using a long-lived browser cookie, for instance, is one example where the use of "level 0" is appropriate. Authentications with level 0 SHOULD NOT be used to authorize access to any resource of any monetary value. An absolute URI or an RFC 6711 [RFC6711] registered name SHOULD be used as the acr value; registered names MUST NOT be used with a different meaning than that which is registered. Parties using this claim will need to agree upon the meanings of the values used, which may be context-specific. The acr value is a case sensitive string.

acr is a single value (and defined) and amr is a multi-valued whatever the as and client agree upon.

[topperge]

@vsimonian those values are still up in the air right now, it's a draft spec. I'm sure they will change over time. I'm assuming in the MSFT case they would treat that as an otp.

[christiansmith]

Working on this in a new branch. We now have basic support for the amr claim with password signup/signin using any of the OIDC auth flows.

When a user authenticates with the local password provider, the amr claim with a value of ['pwd'] will be added to the newly issued id_token. We're set up so that any subsequent authentication during the course of the same session can be made to add it's amr value to the set. When a user signs out, the amr values will be deleted from the session, so that future authentication attempts will be starting from scratch.

Please comment with requirements for other authentication methods, configurability, etc.

[adalinesimonian]

#141 has been merged. Documentation is necessary.

[adalinesimonian]

Documented - merged connect-docs/#25

[adalinesimonian]

Leaving open for review. cc @topperge