From IIW

FICAM Profile, OAUTH2 & 800-63 (3A)

Convener: Matt Tebo

Notes-taker(s): Ross Foard

Tags for the session - technology discussed/ideas considered:

Discussion of NIST SP800-63 and OAuth and their relationship

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

800-63 and OAuth



Credential Management



We are going to talk about assertion  

800-63 Assertion definition

Assertions are statement fs from a verifier (IDP) to an RP that contain information about a subscriber….May include identification and AuthN Statements and attributes  

800-63 LOA Threats 1. Assertion Manufacture/Mod

  • a. Threat-Bogus assertion or modified real one
  • b. Mitigation - DSIG or TLS

2. Assertion Re-Use

  • a. Threat-
* b. Mitigation- Timestamp, Validity Period

3. Secondary Authenticator Manufacture = AuthZ code

  • a. Threat - Attacker Generates 2ndary Authenticator & impersonates user
  • b. Mitigation - Entropy, DSIG, Client Auth


OAuth does not have the identity of a user in any form, although it does provide a "consent" assertion. For any identity-based assertion must use a separate protocol or mechanism.  

Facebook Connect is a proprietary version of OpenID Connect, it is a predecessor to.

There is no standard for the Identity portion of the OpenID Connect in OAuth  

Parts of Oauth 1.0 was trying to solve the 3 legged authorization problem with a single solution. Oauth 2 made a specific decision to not be backward compatible with Oauth 1.0.  

The difficulty of normalization the signing part of the authentication part normalized on SSL to broaden the audience of devices.  

Facebook has signed authentication token in their Facebook Connect  

We could profile an implementers draft of OpenID Connect.  

User experience compliance and constraints needs to be part of the profile to ensure control is being done to as desired by the pro filer.