[Openid-specs-ab] acr values

Tim Bray tbray at textuality.com
Mon Aug 12 20:05:19 UTC 2013


In our IDP role, we’re coming under a lot of pressure to say something
about “session strength” and maybe in some circumstances force re-auth and
so on.  There are a lot of different vocabularies in play that you could
use to talk about this stuff, including NIST and ISO publications; and the
work of the Fido alliance is maybe interesting.  So I expect a lot of churn
in this space, and OIDC needs to allow sufficient elbow room.

So, the purpose of this note is to confirm my understandings, based on
looking at the OIDC Messages draft.  Do people agree with these?

- It’s perfectly OK to provide any old URI we dream up as a value for the
“acr” claim.

- There may be awkwardness around multiple values; suppose I wanted to
assert, for example, that the session is less than ten minutes old AND
two-factor authent was used.    All I can think of is composing a URI along
the lines of urn:google-auth-claims?max-age=10&two-factor=true; which is a
little kludgy but I guess OK.  Awkward, though, in the case where there’s a
Fido vocabulary for 2-factor-flavor and someone else’s vocabulary for
session-freshness.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130812/29dfbb60/attachment-0001.html>


More information about the Openid-specs-ab mailing list