[Openid-specs-ab] acr values

mike at gluu.org mike at gluu.org
Mon Aug 12 20:52:38 UTC 2013


Because the use of ACR was unclear to me, OX ended up taking a 
different approach to enable the client to request the type of 
authentication. My design was based on CA Siteminder, and I think it 
could be either merged, or remain complimentary to ACR:

The idea is that these two params, auth_mode and auth_level, could be 
used by the client to request either a specific type or "level" of 
authentication... which were defined by the domain or the federation.

I recorded a demo of how we configure OX to use these params:

Also note, in our proposed Apache module for OIDC, the web developer 
can specify the auth_mode or auth_level as a directive:

Finally, in OX we expose the auth_mode and auth_level from the access 
token so they can be used to write a policy (i.e. user must use 
auth_level_10 to access this resource...). We've also proposed an UMA 
profile for stepped up authentication:

OX is out in front on this feature. I'd be interested to see it either 
merged with ACR, or perhaps supported as a simpler alternative to ACR. 
It would be great if you could help take this up...



PS: Our CrowdTilt looks like its going to fall $5k short unless a 
miracle happens. Its really too bad... I have been finding that web 
developers are really struggling to implement the OIDC protocol, and 
this would help many of them: http://www.gluu.co/uma-apache

More information about the Openid-specs-ab mailing list