[Openid-specs-ab] amr: strings versus objects
Vladimir Dzhuvinov
vladimir at connect2id.com
Sun Jul 31 18:38:02 UTC 2016
On 29/07/16 17:03, Mike Schwartz via Openid-specs-ab wrote:
>
>> Do you make any use of the ACR claim?
>
> Vladimir,
>
> Yes, we are also using acr to specify the authn workflow. For example,
> let's say a domain has two authentication mechanisms: U2F tokens and
> password. We use acr so that the client can request one or the other.
> ACR is loaded too... because a lot can happen in an authn workflow.
> Our recomendation is that acr is a URI, to avoid collisions. amr
> cannot be used for this purpose, because it is returned in the
> response, but is not sent in the authn request. Also, amr seemed
> appropriate because it returns an array of values, so my thought was
> that the OP can use it to return extra information about what happend
> in the authn.
My suggestion was to have the same base ACR URIs to request the level,
and then return them to confirm the level, with appended parameters to
provide the additional context.
RPs will have to match the base ACR to find out if the ACR request was
honoured, and then parse the appended parameters to get the context if
they want that.
>
> As JSON objects can be represented as strings, maybe we can just
> return objects anyway :)
If the RP is using some general OIDC library, and that library make use
of a standard JSON facility, parsing the AMR values where an array of
strings is expected will probably fail. In JSON the string and object
entities are distinct, and the latter (as a JSON entity) is not some
narrower definition of the former.
>
> - Mike
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
--
Vladimir Dzhuvinov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3711 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160731/c2bc3d7f/attachment.p7s>
More information about the Openid-specs-ab
mailing list