[Openid-specs-ab] ACR processing - MUST/Essential/Voluntary, order of preference
Vladimir Dzhuvinov / NimbusDS
vladimir at nimbusds.com
Mon Jun 24 15:28:07 UTC 2013
Hi guys,
We were having an internal discussion on how to handle the ACR parameter
in authz requests and I would like to ask for your advice:
OIDC Messages draft 20 says the top level "acr_values" parameter values
are to be treated as MUST.
Does that mean the server must return an error if the ACR values are not
supported? (as opposed to the composite "claims" parameter with ID token
member "acr" where the only choice we have is between "essential" and
"voluntary") If yes, which error code?
Also, does the value order in "acr_values" matter? This seems to be
implied by the definition of "values" in 2.6.1 Individual Claim
Requests. The "default_acr_values" description in Registration also
seems ambiguous on the value order.
Thanks,
Vladimir
More information about the Openid-specs-ab
mailing list