[Openid-specs-ab] acr values

Brian Campbell bcampbell at pingidentity.com
Tue Aug 13 14:02:08 UTC 2013


Seems like the case Tim mentions could be handled using acr and auth_time.

So rather than an arc with something like
urn:google-auth-claims?max-age=10&two-factor=true, an acr with
urn:google-auth-claims:two-factor might be used to indicate 2 factor
authn and the auth_time can indicates the session freshness.

Yes, it means looking in two different places. But that seems easier
than looking in one place but having to parse two values out of it.



On Tue, Aug 13, 2013 at 7:48 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:
> Sure the nice thing about URI is that people won't confuse http://example.com/auth_level/0 with http://bar.com/auth_level/0 as they may mean completely different things.
>
> If people want to do interfederation the registry is there to point to the agreed policy.
>
> In the local case putting a document at the URI to explain the local policy to help developers is a good idea but not required.
>
>
> Sent from my iPhone
>
> On 2013-08-12, at 11:11 PM, mike at gluu.org wrote:
>
>> John,
>>
>> Nat also made the case to me a while back that ACR could be used for domain or federation level policy. One of the reasons we implemented our own solution was because it was unclear how to use ACR. Perhaps more examples in the documentation would be helpful. Are you proposing that a domain could have an acr value such as "http://example.com/auth_level/0" ?
>>
>> - Mike
>>
>>
>>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>


More information about the Openid-specs-ab mailing list