[Openid-specs-ab] acr values

mike at gluu.org mike at gluu.org
Tue Aug 13 14:09:09 UTC 2013


I like it... in fact we could also do a mapping for auth_mode, because 
the way OX uses auth_mode is different than what is proposed for "amr" 
(in OX auth_mode can't be multi-value).

So I think the main issue is that the way acr is defined in the spec, 
it is a little hard for us "normal people" to understand. A few more 
examples would be helpful.

Also, I'm a little unclear where the registry would exist. Is there a 
standard location in .well-known to publish these policies?



On 2013-08-13 08:48, John Bradley wrote:
> Sure the nice thing about URI is that people won't confuse
> http://example.com/auth_level/0 with http://bar.com/auth_level/0 as
> they may mean completely different things.
> If people want to do interfederation the registry is there to point
> to the agreed policy.
> In the local case putting a document at the URI to explain the local
> policy to help developers is a good idea but not required.
> Sent from my iPhone
> On 2013-08-12, at 11:11 PM, mike at gluu.org wrote:
>> John,
>> Nat also made the case to me a while back that ACR could be used for 
>> domain or federation level policy. One of the reasons we implemented 
>> our own solution was because it was unclear how to use ACR. Perhaps 
>> more examples in the documentation would be helpful. Are you proposing 
>> that a domain could have an acr value such as 
>> "http://example.com/auth_level/0" ?
>> - Mike

More information about the Openid-specs-ab mailing list