[Openid-specs-ab] Request amr ?

Michael Schwartz mike at gluu.org
Mon Sep 8 22:29:05 UTC 2014


John,

We had this conversation before. I still don't understand why if you 
return AMR in the id_token, why not let the RP request it?  In 
enterprise use, many "federations" are primarily driven by the the 
policy of one organization. Not allowing the client to request amr seems 
paternalistic.

- Mike


On 2014-09-08 17:08, John Bradley wrote:
> You request a acr, and that can have whatever rules for acceptable AMR
> you like.
> 
> Requesting a specific AMR is not scalable.  The first time you add a
> new AMR even if it is better things break unless it is a small
> federation that is configured out of band.
> 
> If that is the case and you don't care about identity proofing etc.
> Then just map acr to classes of AMR.
> 
> AMR should mostly be treated as extra information on top of ACR.
> 
> Sent from my iPhone
> 
>> On Sep 8, 2014, at 6:29 PM, Michael Schwartz <mike at gluu.org> wrote:
>> 
>> OpenID Connect gurus,
>> 
>> The ID token returns 'amr', but there is no way to send 'amr' in the 
>> request?
>> 
>> So the only way to request a specific type of authentication is to use 
>> the 'acr' param?
>> 
>> thx,
>> 
>> Mike
>> 
>> -------------------------------------
>> Michael Schwartz
>> Gluu CEO
>> 
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-- 


-------------------------------------
Michael Schwartz
Gluu
Founder / CEO
mike at gluu.org


More information about the Openid-specs-ab mailing list