[Openid-specs-ab] acr values

mike at gluu.org mike at gluu.org
Mon Aug 12 20:52:38 UTC 2013


Tim,

Because the use of ACR was unclear to me, OX ended up taking a 
different approach to enable the client to request the type of 
authentication. My design was based on CA Siteminder, and I think it 
could be either merged, or remain complimentary to ACR:
  
http://wiki.openid.net/w/page/66496701/Domain%20Specific%20Authentication%20Mode%20and%20Level

The idea is that these two params, auth_mode and auth_level, could be 
used by the client to request either a specific type or "level" of 
authentication... which were defined by the domain or the federation.

I recorded a demo of how we configure OX to use these params:
  http://www.youtube.com/watch?v=Bsr4cOoZBJk

Also note, in our proposed Apache module for OIDC, the web developer 
can specify the auth_mode or auth_level as a directive:
   http://ox.gluu.org/doku.php?id=oxd:mod_oic

Finally, in OX we expose the auth_mode and auth_level from the access 
token so they can be used to write a policy (i.e. user must use 
auth_level_10 to access this resource...). We've also proposed an UMA 
profile for stepped up authentication:
  http://ox.gluu.org/doku.php?id=oxauth:uma_profile

OX is out in front on this feature. I'd be interested to see it either 
merged with ACR, or perhaps supported as a simpler alternative to ACR. 
It would be great if you could help take this up...

thx,

Mike

PS: Our CrowdTilt looks like its going to fall $5k short unless a 
miracle happens. Its really too bad... I have been finding that web 
developers are really struggling to implement the OIDC protocol, and 
this would help many of them: http://www.gluu.co/uma-apache


More information about the Openid-specs-ab mailing list