[Openid-specs-ab] amr: strings versus objects
Mike Schwartz
mike at gluu.org
Thu Jul 28 19:01:42 UTC 2016
Vladimir and Mike, thanks for the comments.
It hadn't occurred to me to add a custom claim like "amr_context". It's
not a bad idea, but we prefer not to stray from the spec with our own
custom features.
I'm aware of the 'amr' spec in the OAuth group. I'm just too pessimistic
about this idea. I don't have a fix, so I'm not saying anything, so as
not to spoil everyone else's fun.
My main issue was the ordering of the amr values. I'll give you the use
case...
In the Gluu Server, you can define multiple authentication workflows.
Each workflow has an "Authentication Level," which is an integer that
the admin would set to indicate its relative strength. (Think
"Siteminder Level"). My thought is that we can't set these integers
globably, but within a domain, it can be done.
So returning the level in the amr is no problem... we're doing that. My
concern is that we are making a policy that the level is always returned
as the first amr value. That works, but it seems sort of restrictive to
me.
If we had an array of objects, there would be so much more opportunity
to provide information about the amr:
amr = [ {"name": "level", "value": "5"},
{"name": "fraud_score", "value": "518"}
{"name": "fingerprint", "category": "biometric", "paDesc":
"100"}
]
And the order would be unimportant, because we could always just find
the object with name=level...
Anyway, just an idea...
- Mike
-------------------------------------
Michael Schwartz
Gluu
Founder / CEO
mike at gluu.org
More information about the Openid-specs-ab
mailing list