[Openid-specs-ab] Issue #866: Why are there two different ways to request acr? (openid/connect)

Brian Campbell issues-reply at bitbucket.org
Mon Aug 12 20:53:37 UTC 2013

New issue 866: Why are there two different ways to request acr?

Brian Campbell:

A client can request acr using the acr_values parameter of the request or with the claim parameter of the request using id_token.acr.values. 

In the former case it's a space delimited list and in the latter is a JSON array. The latter also necessitates the definition of the values member of an individual claims request, which isn't otherwise needed AFAICT. 

I don't see the value in having two different ways to do the same thing? Can it just consolidate to using the acr_values parameter? It's simple in that it can be just a query parameter but it also can be signed/encrypted using the request object. Seems like it covers everything that's needed.

Using the claims request parameter does allow acr to be marked as 'Essential' but I don't see that there's any actual difference in behavior, per messages 2.6.1, "the Authorization Server MUST NOT generate an error when Claims are not returned, whether they are Essential or Voluntary."

BTW, which one takes precedence, if they are both present?

More information about the Openid-specs-ab mailing list