[OpenID-specs-EAP] use of amr and acr

[Mike Schwartz]

I can say how we've been dealing with this issue at Gluu, although I 
suspect you will all reject our solution...

In the Gluu Server, you can define multiple workflows for 
authentication. You can assign each such workflow an integer value. 
Let's say:

1  Basic
3  Mobile Authn
5  U2F Token
10 Smart Card

We return these integers as the first value in the amr array in the 
id_token.

An application may specify acr_values in the authorization request. If 
the acr_values has an amr "auth-level" which is > the current, an error 
is returned. The client must then use prompt=login and specify this 
higher acr (or revert to a lower acr_values).

Siteminder and other SSO systems have been using auth-level for 20 years 
or so, so I think it's going to be pretty hard for enterprises to give 
up this concept. It's sometimes embedded in policy. Of course there is 
no way to define global levels, but each IDP, which understands the 
relative risk profile of each of its authn mechanisms, can do so.

Anyway, just wanted to throw it out there. Feel free to shoot this 
solution full of holes now...

- Mike