[Openid-specs-mobile-profile] ACR values

Lodderstedt, Torsten t.lodderstedt at telekom.de
Fri Nov 27 17:19:16 UTC 2015

As a RP, I would prefer to send the minimal level I would like the OP to fulfill, e.g. mc2, and I would accept if the OP did better, i.e. authenticated using mc3.

I think it is evenly important to be clear on the meaning of the levels. Otherwise, the RP does not know what to expect and the OP does not know exactly know what to implement.

Best regards,

Von: John Bradley [mailto:jbradley at mac.com]
Gesendet: Freitag, 27. November 2015 15:14
An: Lodderstedt, Torsten
Cc: philippe.clement at orange.com; openid-specs-mobile-profile at lists.openid.net
Betreff: Re: [Openid-specs-mobile-profile] ACR values

That is not the normal behaviour for Connect when using the query parameter.
We had much debate at the time.

We can achieve that with server side policy however.

What I think people want is to send a list in preference order  eg [ “mc-2”, “mc-3” ]

The IdP must try to do the highest one in the list that the users device supports, if that fails then the IDP will return an error.

That is the semantic if you use make it an essential claim in the request object.

Normally if the device only supported “mc-1” or “mc-4" the IdP could try that and return it if successful.

I suppose that we could say that if the user can be authenticated at a higher level by the IdP it can do that and return a lower level from the requested list.

This is probably more important to be clear on than the levels themselves in some ways.

Is that the behaviour we want to require of the IdP?

John B.

On Nov 27, 2015, at 8:51 AM, Lodderstedt, Torsten <t.lodderstedt at telekom.de<mailto:t.lodderstedt at telekom.de>> wrote:

>If the IdP cant supply one of the acr values by getting the user to step up then it must return a failed authentication attempt.

I think this is the desired behavior for MODRNA
Openid-specs-mobile-profile mailing list
Openid-specs-mobile-profile at lists.openid.net<mailto:Openid-specs-mobile-profile at lists.openid.net>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20151127/3e6ff3a4/attachment-0001.html>

More information about the Openid-specs-mobile-profile mailing list