Hello,
If a client application wants to make the authorization server return
error=unmet_authentication_requirements when none of requested ACRs is
satisfied, the client application should request the "acr" claim as an
"essential" claim. A straightforward way is to embed
"acr":{"essential":true,"values":[...]} in the "claims" request parameter
(OIDC Core Section 5.5). (NOTE: the "acr_values" request parameter and the
"default_acr_values" client metadata cannot request claims as essential.)
The draft of OAuth 2.0 Step-up Authentication Challenge Protocol recommends
that ACRs requested by the "acr_values" request parameter be treated as
required (= essential). The recommendation may be okay, but it should be
better for the specification to mention additionally that there is a
standardized way to request the "acr" claim as essential. That is, it is
better to introduce "acr":{"essential":true,"values":[...]} somewhere in
the specification.
Best Regards,
Takahiko Kawasaki
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
