clarify text (value vs values) in 5.5.1.1
As mentioned in https://gitlab.com/openid/conformance-suite/issues/656#note_261753367 this text in
https://openid.net/specs/openid-connect-core-1_0.html#acrSemantics :
If the
acr
Claim is requested as an Essential Claim for the ID Token with avalues
parameter requesting specific Authentication Context Class Reference values and the implementation supports theclaims
parameter, the Authorization Server MUST return anacr
Claim Value that matches one of the requested values. The Authorization Server MAY ask the End-User to re-authenticate with additional factors to meet this requirement. If this is an Essential Claim and the requirement cannot be met, then the Authorization Server MUST treat that outcome as a failed authentication attempt.
is potentially ambiguous. I think the explicit reference to ‘values’ in the first sentence should be “value or values” as there seems no reason why an acr claim made in the following form:
claims: {
id_token: {
acr: { essential: true, value: 'urn:openbanking:psd2:sca' }
}
}
should be treated differently to:
claims: {
id_token: {
acr: { essential: true, values: ['urn:openbanking:psd2:sca'] }
}
}
My belief is that both forms must be treated as a failed authentication attempt if the server cannot meet that ‘sca’ acr requirement.
Comments (5)
-
-
-
assigned issue to
- changed milestone to Errata
I agree that either “values” or “value” could be used.
-
assigned issue to
-
- changed status to open
-
Will be fixed by https://bitbucket.org/openid/connect/pull-requests/593
-
- changed status to resolved
- Log in to comment
I agree