[Openid-specs-ab] acr values

Tim Bray tbray at textuality.com
Tue Aug 13 14:05:41 UTC 2013


I'll be honest; I'd be a little happier if some of these values were lists
not singletons. But I think we can work with what's there.

Thanks for the input, everyone.
-T
On Aug 13, 2013 7:02 AM, "Brian Campbell" <bcampbell at pingidentity.com>
wrote:

> Seems like the case Tim mentions could be handled using acr and auth_time.
>
> So rather than an arc with something like
> urn:google-auth-claims?max-age=10&two-factor=true, an acr with
> urn:google-auth-claims:two-factor might be used to indicate 2 factor
> authn and the auth_time can indicates the session freshness.
>
> Yes, it means looking in two different places. But that seems easier
> than looking in one place but having to parse two values out of it.
>
>
>
> On Tue, Aug 13, 2013 at 7:48 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:
> > Sure the nice thing about URI is that people won't confuse
> http://example.com/auth_level/0 with http://bar.com/auth_level/0 as they
> may mean completely different things.
> >
> > If people want to do interfederation the registry is there to point to
> the agreed policy.
> >
> > In the local case putting a document at the URI to explain the local
> policy to help developers is a good idea but not required.
> >
> >
> > Sent from my iPhone
> >
> > On 2013-08-12, at 11:11 PM, mike at gluu.org wrote:
> >
> >> John,
> >>
> >> Nat also made the case to me a while back that ACR could be used for
> domain or federation level policy. One of the reasons we implemented our
> own solution was because it was unclear how to use ACR. Perhaps more
> examples in the documentation would be helpful. Are you proposing that a
> domain could have an acr value such as "http://example.com/auth_level/0" ?
> >>
> >> - Mike
> >>
> >>
> >>
> >
> > _______________________________________________
> > Openid-specs-ab mailing list
> > Openid-specs-ab at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-specs-ab
> >
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130813/2b75335a/attachment.html>


More information about the Openid-specs-ab mailing list