[Openid-specs-ab] Request amr ?

John Bradley ve7jtb at ve7jtb.com
Mon Sep 8 23:10:06 UTC 2014


In those enterprise federations just use acr.    ACR can be any policy they like.   eg request AMR = multi-factor   , response ACR = multi-factor , AMR = "oath-token"

AMR is extra feedback.   

Letting someone ask for ACR & AMR specifically can create unintended conflicts.


On Sep 8, 2014, at 7:29 PM, Michael Schwartz <mike at gluu.org> wrote:

> John,
> 
> We had this conversation before. I still don't understand why if you return AMR in the id_token, why not let the RP request it?  In enterprise use, many "federations" are primarily driven by the the policy of one organization. Not allowing the client to request amr seems paternalistic.
> 
> - Mike
> 
> 
> On 2014-09-08 17:08, John Bradley wrote:
>> You request a acr, and that can have whatever rules for acceptable AMR
>> you like.
>> Requesting a specific AMR is not scalable.  The first time you add a
>> new AMR even if it is better things break unless it is a small
>> federation that is configured out of band.
>> If that is the case and you don't care about identity proofing etc.
>> Then just map acr to classes of AMR.
>> AMR should mostly be treated as extra information on top of ACR.
>> Sent from my iPhone
>>> On Sep 8, 2014, at 6:29 PM, Michael Schwartz <mike at gluu.org> wrote:
>>> OpenID Connect gurus,
>>> The ID token returns 'amr', but there is no way to send 'amr' in the request?
>>> So the only way to request a specific type of authentication is to use the 'acr' param?
>>> thx,
>>> Mike
>>> -------------------------------------
>>> Michael Schwartz
>>> Gluu CEO
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> 
> -- 
> 
> 
> -------------------------------------
> Michael Schwartz
> Gluu
> Founder / CEO
> mike at gluu.org
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4326 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140908/db23e727/attachment-0001.p7s>


More information about the Openid-specs-ab mailing list