[Openid-specs-mobile-profile] ACR values

John Bradley jbradley at mac.com
Fri Nov 27 14:14:04 UTC 2015


That is not the normal behaviour for Connect when using the query parameter.  
We had much debate at the time. 

We can achieve that with server side policy however.   

What I think people want is to send a list in preference order  eg [ “mc-2”, “mc-3” ] 

The IdP must try to do the highest one in the list that the users device supports, if that fails then the IDP will return an error.

That is the semantic if you use make it an essential claim in the request object.

Normally if the device only supported “mc-1” or “mc-4" the IdP could try that and return it if successful.  

I suppose that we could say that if the user can be authenticated at a higher level by the IdP it can do that and return a lower level from the requested list.

This is probably more important to be clear on than the levels themselves in some ways.

Is that the behaviour we want to require of the IdP?

John B.

> On Nov 27, 2015, at 8:51 AM, Lodderstedt, Torsten <t.lodderstedt at telekom.de> wrote:
> 
> >If the IdP cant supply one of the acr values by getting the user to step up then it must return a failed authentication attempt.
>  
> I think this is the desired behavior for MODRNA
> _______________________________________________
> Openid-specs-mobile-profile mailing list
> Openid-specs-mobile-profile at lists.openid.net <mailto:Openid-specs-mobile-profile at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile <http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20151127/0dbd97c4/attachment.html>


More information about the Openid-specs-mobile-profile mailing list