[Openid-specs-ab] acr values
mike at gluu.org
mike at gluu.org
Mon Aug 12 20:52:38 UTC 2013
Tim,
Because the use of ACR was unclear to me, OX ended up taking a
different approach to enable the client to request the type of
authentication. My design was based on CA Siteminder, and I think it
could be either merged, or remain complimentary to ACR:
http://wiki.openid.net/w/page/66496701/Domain%20Specific%20Authentication%20Mode%20and%20Level
The idea is that these two params, auth_mode and auth_level, could be
used by the client to request either a specific type or "level" of
authentication... which were defined by the domain or the federation.
I recorded a demo of how we configure OX to use these params:
http://www.youtube.com/watch?v=Bsr4cOoZBJk
Also note, in our proposed Apache module for OIDC, the web developer
can specify the auth_mode or auth_level as a directive:
http://ox.gluu.org/doku.php?id=oxd:mod_oic
Finally, in OX we expose the auth_mode and auth_level from the access
token so they can be used to write a policy (i.e. user must use
auth_level_10 to access this resource...). We've also proposed an UMA
profile for stepped up authentication:
http://ox.gluu.org/doku.php?id=oxauth:uma_profile
OX is out in front on this feature. I'd be interested to see it either
merged with ACR, or perhaps supported as a simpler alternative to ACR.
It would be great if you could help take this up...
thx,
Mike
PS: Our CrowdTilt looks like its going to fall $5k short unless a
miracle happens. Its really too bad... I have been finding that web
developers are really struggling to implement the OIDC protocol, and
this would help many of them: http://www.gluu.co/uma-apache
More information about the Openid-specs-ab
mailing list