[Openid-specs-ab] Issue #1742: Should not fail an Auth server when cannot meet the `acr_values`? (openid/connect)

Mon Nov 28 15:24:07 UTC 2022

New issue 1742: Should not fail an Auth server when cannot meet the `acr_values`?
https://bitbucket.org/openid/connect/issues/1742/should-not-fail-an-auth-server-when-cannot

Jorge Oliva Fernandez:

From the specification is very clear for me that use of the `acr_values` is a "Voluntary" way of request claims \(1\) and also that a "Voluntary claim" is just a way to notify that a claim is useful for the RP \(2\), consequently seems like Authorization Server should not fail if is not able to provide this "Voluntary claim" what makes sense for me for example in the case that RP request a claim like `birthdate` and the OP didn't know the value of this claim or End-User doesn't consent this claim... but for the case of the `acr` claim when using the `acr_values` the spec indicate that this are the values that the Authorization Server is being requested to use for processing the request \(4\), what means that Auhtorization server more than probably try to ask the End-User to authenticate using the authentication methods that fulfils the requested acr and if the End-User cannot fulfil like in any other interaction the Authorization Server i guess that this should fail.

So my concrete question is, can an OP fail if the RP use the `acr_values` and when try to make End-User use the authentication methods \(the one that meet this acr\), End-user fail to authenticate or is not able to authenticate with this method?

An example would be, an RP request the `acr_values=psw+otp` and the OP present the pwd screen, End-User enter pwd correctly, then the OP present the OTP screen but End-User cannot provide this proof \(because he lost the OTP device or any other reaso

n…\), can the Auth Server return an error in this situation? If not what should be the behaviour in this case?

References:

1. In section 3.1.2.1. Authentication Request in `acr_values` definition say "The acr Claim is requested as a Voluntary Claim by this parameter."
2. In section 1.2. Terminology "Voluntary Claim: Claim specified by the Client as being useful but not Essential for the specific task requested by the End-User."
3. In section 5.5.1.1.  Requesting the "acr" Claim say "If the Claim is not Essential and a requested value cannot be provided, the Authorization Server SHOULD return the session's current acr as the value of the acr Claim."
4. In section 3.1.2.1. Authentication Request in `acr_values` definition say  "specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request,"

‌