Skip to main content

OAuth 2.0 Step Up Authentication Challenge Protocol
draft-ietf-oauth-step-up-authn-challenge-17

Approval announcement
Draft of message to be sent after approval:

Announcement

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: The IESG <iesg@ietf.org>, draft-ietf-oauth-step-up-authn-challenge@ietf.org, oauth-chairs@ietf.org, oauth@ietf.org, rdd@cert.org, rfc-editor@rfc-editor.org, rifaat.s.ietf@gmail.com
Subject: Protocol Action: 'OAuth 2.0 Step-up Authentication Challenge Protocol' to Proposed Standard (draft-ietf-oauth-step-up-authn-challenge-17.txt)

The IESG has approved the following document:
- 'OAuth 2.0 Step-up Authentication Challenge Protocol'
  (draft-ietf-oauth-step-up-authn-challenge-17.txt) as Proposed Standard

This document is the product of the Web Authorization Protocol Working Group.

The IESG contact persons are Paul Wouters and Roman Danyliw.

A URL of this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn-challenge/


Ballot Text

Technical Summary

   It is not uncommon for resource servers to require different
   authentication strengths or recentness according to the
   characteristics of a request.  This document introduces a mechanism
   for a resource server to signal to a client that the authentication
   event associated with the access token of the current request does
   not meet its authentication requirements and specify how to meet
   them.  This document also codifies a mechanism for a client to
   request that an authorization server achieve a specific
   authentication strength or recentness when processing an
   authorization request.

Working Group Summary

There was WG consensus to publish this document and no noteworthy controversy. 

Document Quality

1. Ping Identity
Has implementations of the functionality in this document for the authorization
server and resource server roles.
https://docs.pingidentity.com/r/en-us/pingaccess-71/mhu1564006734179
https://docs.pingidentity.com/r/en-us/pingfederate-112/pf_authoriz_endpoint

2. Authlete
Authlete 2.3, which is planned to be released next month (January 2023),
supports OAuth 2.0 Step-up Authentication Challenge Protocol.
https://www.authlete.com/developers/stepup_authn/

3. HelseID is planning to implement this:
https://helseid.atlassian.net/wiki/spaces/HELSEID/pages/493256708/How+to+do+a+step-up+of+the+authentication+level+of+a+user#Step-up-for-APIs

4. Apache HTTPd
The plan is to add support to the next release of mod_oauth2, an Apache HTTPd
module. https://github.com/zmartzone/mod_oauth2/blob/master/README.md

5. Duende
The current version of Duende IdentityServer supports everything included in
this proposal, except for the new unmet_authentication_requirement error which
has been added for v6.3.0 being released this summer.
https://duendesoftware.com/


Personnel

- Document Shepherd: Rifaat Shekh-Yusef
- Responsible AD: Roman Danyliw

RFC Editor Note