Messages - Do we need three ways of requesting "acr" values?
Issue #766
wontfix
We currently have 3 ways of requesting "acr" values:
-
The "default_acr_values" registration parameter.
-
The "acr_values" request parameter.
-
The "acr": {"values": ...} claim request.
Which of these should we keep?
Comments (6)
-
-
reporter
We could eliminate 2 if every trust framework using ACRs mandated support for requesting the "acr" claim in the "claims" request parameter.
-
reporter
- changed status to on hold
We will possibly reconsider this after more implementation experience.
-
reporter
- changed status to open
There are reasons for all the methods in the spec. There isn't consensus to remove any of them.
John said that there are privacy reasons to want to be able to request "acr" as an essential claim and return an error if it fails.
-
reporter
- changed milestone to Final
-
assigned issue to
Michael Jones
-
reporter
- changed status to wontfix
- Log in to comment
Seems like too many ways. Some kind of support for the "step up" use case is needed but one way is probably enough.