[Openid-specs-ab] FW: [openid/connect] Make "acr" Claim values be arrays of ACR identifiers (issue #789)

Mike Jones Michael.Jones at microsoft.com
Mon Mar 4 05:41:29 UTC 2013


I believe that we should allow multiple ACR values to be returned, like PAPE does.  I know of use cases where they OP, for instance, might return both a LOA number value and an indication of what authentication method(s) were used.  I think we'll regret it if we don't do this.

				-- Mike

-----Original Message-----
From: Michael Jones [mailto:issues-reply at bitbucket.org] 
Sent: Sunday, March 03, 2013 9:30 PM
To: Mike Jones
Subject: [openid/connect] Make "acr" Claim values be arrays of ACR identifiers (issue #789)

--- you can reply above this line ---

New issue 789: Make "acr" Claim values be arrays of ACR identifiers https://bitbucket.org/openid/connect/issue/789/make-acr-claim-values-be-arrays-of-acr

Michael Jones:

Just as was done for PAPE, we should have "acr" claim values be a list of the policies that the OP was able to satisfy/use and not assume that it's a singleton.

The PAPE language at http://openid.net/specs/openid-provider-authentication-policy-extension-1_0.html#anchor9 is:

    openid.pape.auth_policies 

    One or more authentication policy URIs representing policies that the OP satisfied when authenticating the End User.
 
    Value: Space separated list of authentication policy URIs. 

I believe we'll regret it if we don't do this.


--

This is an issue notification from bitbucket.org. You are receiving this either because you are the owner of the issue, or you are following the issue.


More information about the Openid-specs-ab mailing list