[Openid-specs-ab] amr: strings versus objects
Mike Schwartz
mike at gluu.org
Fri Jul 29 14:03:07 UTC 2016
> Do you make any use of the ACR claim?
Vladimir,
Yes, we are also using acr to specify the authn workflow. For example,
let's say a domain has two authentication mechanisms: U2F tokens and
password. We use acr so that the client can request one or the other.
ACR is loaded too... because a lot can happen in an authn workflow. Our
recomendation is that acr is a URI, to avoid collisions. amr cannot be
used for this purpose, because it is returned in the response, but is
not sent in the authn request. Also, amr seemed appropriate because it
returns an array of values, so my thought was that the OP can use it to
return extra information about what happend in the authn.
As JSON objects can be represented as strings, maybe we can just return
objects anyway :)
- Mike
More information about the Openid-specs-ab
mailing list