[Openid-specs-ab] Request amr ?

Michael Schwartz mike at gluu.org
Mon Sep 8 22:29:05 UTC 2014


We had this conversation before. I still don't understand why if you 
return AMR in the id_token, why not let the RP request it?  In 
enterprise use, many "federations" are primarily driven by the the 
policy of one organization. Not allowing the client to request amr seems 

- Mike

On 2014-09-08 17:08, John Bradley wrote:
> You request a acr, and that can have whatever rules for acceptable AMR
> you like.
> Requesting a specific AMR is not scalable.  The first time you add a
> new AMR even if it is better things break unless it is a small
> federation that is configured out of band.
> If that is the case and you don't care about identity proofing etc.
> Then just map acr to classes of AMR.
> AMR should mostly be treated as extra information on top of ACR.
> Sent from my iPhone
>> On Sep 8, 2014, at 6:29 PM, Michael Schwartz <mike at gluu.org> wrote:
>> OpenID Connect gurus,
>> The ID token returns 'amr', but there is no way to send 'amr' in the 
>> request?
>> So the only way to request a specific type of authentication is to use 
>> the 'acr' param?
>> thx,
>> Mike
>> -------------------------------------
>> Michael Schwartz
>> Gluu CEO
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab


Michael Schwartz
Founder / CEO
mike at gluu.org

More information about the Openid-specs-ab mailing list