Make "acr" Claim values be arrays of ACR identifiers

Issue #789 resolved
Michael Jones created an issue

Just as was done for PAPE, we should have "acr" claim values be a list of the policies that the OP was able to satisfy/use and not assume that it's a singleton.

The PAPE language at is:


One or more authentication policy URIs representing policies that the OP satisfied when authenticating the End User.

Value: Space separated list of authentication policy URIs.

I believe we'll regret it if we don't do this.

Comments (3)

  1. Michael Jones reporter

    Rather than making "acr" multi-valued, we will define a new "amr" (authentication methods references) claim, whose value is a list of authentication method references.

  2. Log in to comment