clarify text (value vs values) in 5.5.1.1

As mentioned in https://gitlab.com/openid/conformance-suite/issues/656#note_261753367 this text in

https://openid.net/specs/openid-connect-core-1_0.html#acrSemantics :

If the acr Claim is requested as an Essential Claim for the ID Token with a values parameter requesting specific Authentication Context Class Reference values and the implementation supports the claims parameter, the Authorization Server MUST return an acr Claim Value that matches one of the requested values. The Authorization Server MAY ask the End-User to re-authenticate with additional factors to meet this requirement. If this is an Essential Claim and the requirement cannot be met, then the Authorization Server MUST treat that outcome as a failed authentication attempt.

is potentially ambiguous. I think the explicit reference to ‘values’ in the first sentence should be “value or values” as there seems no reason why an acr claim made in the following form:

‌

claims: {
      id_token: {
        acr: { essential: true, value: 'urn:openbanking:psd2:sca' }
      }
    }

should be treated differently to:

claims: {
      id_token: {
        acr: { essential: true, values: ['urn:openbanking:psd2:sca'] }
      }
    }

My belief is that both forms must be treated as a failed authentication attempt if the server cannot meet that ‘sca’ acr requirement.

Comments (5)