1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. mobile
  4. Issues

further definition of acr_values may be required

Issue #141 resolved
Joseph Heenan created an issue

My understanding is that the acr_values in CIBA has the same meaning as acr_values in OIDC Core; however the latter contains extra language making it clear that acr_values is making a voluntary request, not a requirement.

We may want to explicitly state the meaning is the same as OIDCC, or make it clearer that the OP may completely ignore the requests in acr_values if it wishes.

Comments (6)

  2. Brian Campbell

    In order to "make it clearer that the OP may completely ignore the requests in acr_values if it wishes", I'd propose adjusting acr_values text somewhat from:

    OPTIONAL. Requested Authentication Context Class Reference values. Space-separated string that specifies the acr values that the OpenID Provider is being requested to use for processing this Authentication Request, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value of the ID Token. When the acr_values parameter is present in the authentication request, it is RECOMMENDED that the resulting ID Token contain an acr Claim.

    To:

    OPTIONAL. Requested Authentication Context Class Reference values. Space-separated string that specifies the acr values that the OpenID Provider is being requested to use for processing this Authentication Request, with the values appearing in order of preference. The actual means of authenticating the end-user, however, are ultimately at the discretion of the OP and the Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value of the ID Token. When the acr_values parameter is present in the authentication request, it is RECOMMENDED that the resulting ID Token contain an acr Claim.

  4. Joseph Heenan reporter

    Thanks Brian, that looks good to me.

    (Personally I would go for 'REQUIRED' rather than 'RECOMMENDED' but I presume someone is aware of a reason that the OP may not want to or may be unable to share with the RP the acr that was actually used.)

  7. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Component
CIBA
Milestone
CIBA Implementer's Draft
Votes
0
Watchers
0
Jira: the preferred issue tracker for Bitbucket. Join the team!