[Openid-specs-ab] Issue #1143: clarify text (value vs values) in 5.5.1.1 (openid/connect)

josephheenan issues-reply at bitbucket.org
Tue Dec 17 16:00:00 UTC 2019


New issue 1143: clarify text (value vs values) in 5.5.1.1
https://bitbucket.org/openid/connect/issues/1143/clarify-text-value-vs-values-in-5511

Joseph Heenan:

As mentioned in [https://gitlab.com/openid/conformance-suite/issues/656#note\_261753367](https://gitlab.com/openid/conformance-suite/issues/656#note_261753367) this text in 

[https://openid.net/specs/openid-connect-core-1\_0.html#acrSemantics](https://openid.net/specs/openid-connect-core-1_0.html#acrSemantics) :

> If the `acr` Claim is requested as an Essential Claim for the ID Token with a `values` parameter requesting specific Authentication Context Class Reference values and the implementation supports the `claims` parameter, the Authorization Server MUST return an `acr` Claim Value that matches one of the requested values. The Authorization Server MAY ask the End-User to re-authenticate with additional factors to meet this requirement. If this is an Essential Claim and the requirement cannot be met, then the Authorization Server MUST treat that outcome as a failed authentication attempt.

is potentially ambiguous. I think the explicit reference to ‘values’ in the first sentence should be “value or values” as there seems no reason why an acr claim made in the following form:

‌

```
claims: {
      id_token: {
        acr: { essential: true, value: 'urn:openbanking:psd2:sca' }
      }
    }
```

should be treated differently to:

```
claims: {
      id_token: {
        acr: { essential: true, values: ['urn:openbanking:psd2:sca'] }
      }
    }
```

My belief is that both forms must be treated as a failed authentication attempt if the server cannot meet that ‘sca’ acr requirement.




More information about the Openid-specs-ab mailing list