[Openid-specs-ab] amr vs acr

Mike Jones Michael.Jones at microsoft.com
Fri May 31 23:48:11 UTC 2013

Sure.  I'll start by including the two different definitions, for reference:

OPTIONAL. Authentication Context Class Reference. String specifying an Authentication Context Class Reference value that identifies the Authentication Context Class that the authentication performed satisfied. The value "0" indicates the End-User authentication did not meet the requirements of ISO/IEC 29115<http://openid.net/specs/openid-connect-messages-1_0.html#ISO29115> [ISO29115] level 1. Authentication using a long-lived browser cookie, for instance, is one example where the use of "level 0" is appropriate. Authentications with level 0 should never be used to authorize access to any resource of any monetary value. (This corresponds to the OpenID 2.0 PAPE <http://openid.net/specs/openid-connect-messages-1_0.html#OpenID.PAPE>  [OpenID.PAPE] nist_auth_level 0.) An absolute URI or a registered name<http://openid.net/specs/openid-connect-messages-1_0.html#RFC6711> [RFC6711] MAY be used as an acr value.
OPTIONAL. Authentication Methods References. JSON array of strings that are identifiers for authentication methods used in the authentication. For instance, values might indicate that both password and OTP authentication methods were used. The definition of particular values to be used in the amr Claim is beyond the scope of this specification.

The key difference is that “acr” references the single authentication CLASS that the authentication event satisfied, whereas “amr” lists the set of individual authentication METHODS used in the authentication event.  The first is likely closely tied to the trust framework within which the authentication occurred.  For instance, the “acr” might be used to say that the authentication performed met the requirements of an EU Stork Level 3 authentication, whereas the “amr” might communicate that the authentication event did so by using a Belgian EID card (one claim returned) on a computer that meets the patch requirements of the EU Ministry of Defense (another “amr” claim returned).  Other “acr” references would be things like the US Government NIST Authentication Levels specified in NIST SP 800‑63 or trust framework references to elements frameworks defined with the OIX.  Other “amr” references would be things like “used a password”, “used an OTP device”, “used a code sent out of band in a text message”, etc.  The first are references classes of authentication defined in legal contracts.  The latter are references to physical events that took place.

Does that help?

                                                                -- Mike

-----Original Message-----
From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Torsten Lodderstedt
Sent: Friday, May 31, 2013 11:02 AM
To: OpenId Connect List
Subject: [Openid-specs-ab] amr vs acr


could someone please describe me the difference between the id token members acr and acm? From my understanding, they are just the same. I'm also interested to learn why the authorization request allows to specify multiple acrs but does not support to specify any authentication method (via acm). Additionally, why is there no way to indicate more than one acr in the id token?

Thanks in advance,



Openid-specs-ab mailing list

Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130531/622909a1/attachment.html>

More information about the Openid-specs-ab mailing list