[Openid-specs-fapi] Issue #154: Behaviour of AS undefined if no acr claim supplied by client (openid/fapi)
Joseph Heenan
issues-reply at bitbucket.org
Tue Jul 31 06:17:21 UTC 2018
New issue 154: Behaviour of AS undefined if no acr claim supplied by client
https://bitbucket.org/openid/fapi/issues/154/behaviour-of-as-undefined-if-no-acr-claim
Joseph Heenan:
FAPI part 2 says:
> Part1. 5.2.3. public client
> 3. shall request user authentication at LoA 3 or greater by requesting the acr claim as an essential claim as defined in section 5.5.1.1 of OIDC;
There's no corresponding requirement on the server.
As far as I can tell every openbanking implementation supplies a default if the client doesn't pass an acr claim.
By contrast the current implementation of Authlete shows an error to the user in this case.
(We discovered this as the FAPI conformance suite we've been working on does not currently supply an acr claim due to an oversight...)
It may be worth being more explicit about how the server should handle this case to improve interoperability.
More information about the Openid-specs-fapi
mailing list