Re: [OAUTH-WG] Step-up Auth: request acr as essential

Thu, 03 Nov 2022 11:05:08 -0700 

Hi Takahiko,
thanks for the comment!
The use of the claims parameter for this use case is tricky.
1) if used as is, requesting a particular acr via claims isn't guaranteed
to have any effect on the content of an access token, if an access token is
even present: OIDC only defines the claims as having an effect on id_token
and/or userinfo.
2) pulling in the claims parameter here would vastly exceed the scope of
this specification, as the expressive power of claims goes well beyond
requesting acr (possibly one of the reasons for which it doesn't enjoy
widespread support) and defining its effects on access tokens would require
a lot more work than what's needed to achieve the step up scenario.
I hope this helps!
Cheers,
V.
On Wed, Nov 2, 2022 at 10:30 AM Takahiko Kawasaki <t...@authlete.com> wrote:

> *This message originated outside your organization.*
>
> ------------------------------
>
> Hello,
>
> If a client application wants to make the authorization server return
> error=unmet_authentication_requirements when none of requested ACRs is
> satisfied, the client application should request the "acr" claim as an
> "essential" claim. A straightforward way is to embed
> "acr":{"essential":true,"values":[...]} in the "claims" request parameter
> (OIDC Core Section 5.5). (NOTE: the "acr_values" request parameter and the
> "default_acr_values" client metadata cannot request claims as essential.)
>
> The draft of OAuth 2.0 Step-up Authentication Challenge Protocol
> recommends that ACRs requested by the "acr_values" request parameter be
> treated as required (= essential). The recommendation may be okay, but it
> should be better for the specification to mention additionally that there
> is a standardized way to request the "acr" claim as essential. That is, it
> is better to introduce "acr":{"essential":true,"values":[...]} somewhere in
> the specification.
>
> Best Regards,
> Takahiko Kawasaki
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to