[Openid-specs-ab] Introspection Profile for OpenID Connect

mike at gluu.org mike at gluu.org
Fri Sep 13 16:00:32 UTC 2013

Here is another clarification...

Lets say I have two apps:
1. app1 - requires acr = http://gluu.org/authn/auth_level/1
2. app2 - requires acr = http://gluu.org/authn/auth_level/2

I want SSO between two apps:

1) A Person tries to login to app1 (auth_level=1) => got token1

2) Then the Person tries to login to app2 with token1 . So app2 needs 
to introspect token1 to get auth_level to make sure it's 2 or higher.

Is this just out of scope of OpenID Connect ?  I thought the use of acr 
was in Connect?



More information about the Openid-specs-ab mailing list