further definition of acr_values may be required
My understanding is that the acr_values in CIBA has the same meaning as acr_values in OIDC Core; however the latter contains extra language making it clear that acr_values is making a voluntary request, not a requirement.
We may want to explicitly state the meaning is the same as OIDCC, or make it clearer that the OP may completely ignore the requests in acr_values if it wishes.
Comments (6)
-
reporter -
In order to "make it clearer that the OP may completely ignore the requests in acr_values if it wishes", I'd propose adjusting
acr_values
text somewhat from:OPTIONAL. Requested Authentication Context Class Reference values. Space-separated string that specifies the acr values that the OpenID Provider is being requested to use for processing this Authentication Request, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value of the ID Token. When the acr_values parameter is present in the authentication request, it is RECOMMENDED that the resulting ID Token contain an acr Claim.
To:
OPTIONAL. Requested Authentication Context Class Reference values. Space-separated string that specifies the acr values that the OpenID Provider is being requested to use for processing this Authentication Request, with the values appearing in order of preference. The actual means of authenticating the end-user, however, are ultimately at the discretion of the OP and the Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value of the ID Token. When the acr_values parameter is present in the authentication request, it is RECOMMENDED that the resulting ID Token contain an acr Claim.
-
Proposed text is acceptable to me.
-
reporter Thanks Brian, that looks good to me.
(Personally I would go for 'REQUIRED' rather than 'RECOMMENDED' but I presume someone is aware of a reason that the OP may not want to or may be unable to share with the RP the acr that was actually used.)
-
- changed milestone to CIBA Implementer's Draft
-
- changed status to resolved
with adc05ae
- Log in to comment
The discussion in https://bitbucket.org/openid/mobile/issues/39/error-non-error-handling-in-case-op-cannot may also provide extra background.