Additional metadata in authorization details
In PR249, we discussed that clients may want to know how and when the user granted it.
It would be useful to have
- amr/acr
- auth_time
any other suggestions?
Comments (8)
-
-
- changed status to open
-
Talked about it in Apr 28 call that we should just add
auth_time
. -
Brian pointed out, we will need such a time for every authorization request adding privileges to a grant.
-
Discussed it on the call with Torsten and Stuart: auth_time can be added as a claim or into authorization_details structure if required. There is no need to have it in Grant Management specification.
Is that Ok @Kosuke Koiwai ?
-
For clarity “claim” above is a reference to this part of the existing spec (Query Status of Grant):
* `claims`: JSON array containing the names of all OpenID Connect claims (see [@!OpenID]) as requested and consented in one or more authorization requests associated with the respective grant.
-
So if an RP wants to get
auth_time
, it should get userinfo or id_token.Not straightforward but it should serve the purpose. Thanks!
-
- changed status to resolved
answered
- Log in to comment
I think time of approval seems reasonable.
Why should we expose authentication data to the client? If the client is a OpenID Connect RP, this might make sense. In all other cases, this information is relevant to the RS only as the RS wants to make sure the RO was authenticated sufficiently when approving the grant.