[Openid-specs-ab] acr values

mike at gluu.org mike at gluu.org
Tue Aug 13 01:03:39 UTC 2013


OX did invent something, which is why we wrote an emerging work wiki 
page:
http://wiki.openid.net/w/page/66496701/Domain%20Specific%20Authentication%20Mode%20and%20Level

I think that amr is very close to what we proposed as auth_mode. I 
agree its inflexible, but sometimes explicit specification is desirable.

In the current OIDC design, I don't see an equivalent for "auth_level." 
This approach is widely used at many large organizations, as "siteminder 
level." The idea is to provide the domain with a way to define the 
relative strength of the authn workflows they provide. This is a 
convenience for managing policies, and supporting the plethora of new 
authn mechanisms that arise. The auth_level can be defined by the domain 
or federation--it is not meant to be a globally meaningful value (that 
is what ACR is for in my opinion).

Certainly OX will adopt the standards that arise... but having some 
implementation feedback never hurts. My experience is that explaining 
auth_mode and auth_level to developers makes sense to them.

thx,

Mike

PS: 3 more days to fund


More information about the Openid-specs-ab mailing list