FAPI-R/RW: Bring clauses about acr inline with usage
Joseph Heenan
Branch: josephheenan/fapi:part2-acr
Branch: openid/fapi:master
Merged
Merged pull request
Merged in josephheenan/fapi/part2-acr (pull request #115)
Merged in josephheenan/fapi/part2-acr (pull request #115)
FAPI-R/RW currently contain various clauses about acr and amr, which we're not seeing actually used seriously in deployments of FAPI.
The 'amr' clause has, as far as I know, never been applied.
The 'acr' and LoA3 requirements differ from what it actually applied, and are really something for an ecosystem to define rather than a standard.
The clauses are distilled down to their core underlying statement, i.e. that both the authorization server and the client must make sure they're level of confidence they have in the authentication is appropriate for their purposes.
Ecosystems may continue to define acr values and require them to be sent.
closes #218