Re: [OAUTH-WG] Step-up Auth: request acr as essential

Thu, 03 Nov 2022 15:50:15 -0700 

Thank you.

1) The same points are true to "acr_values".

2) The expressive power and popularity don't have to stop the spec from
kindly mentioning the standardized way which was defined 8 years ago.

Taka

2022年11月3日(木) 22:04 Vittorio Bertocci <vitto...@auth0.com>:

> Hi Takahiko,
> thanks for the comment!
> The use of the claims parameter for this use case is tricky.
> 1) if used as is, requesting a particular acr via claims isn't guaranteed
> to have any effect on the content of an access token, if an access token is
> even present: OIDC only defines the claims as having an effect on id_token
> and/or userinfo.
> 2) pulling in the claims parameter here would vastly exceed the scope of
> this specification, as the expressive power of claims goes well beyond
> requesting acr (possibly one of the reasons for which it doesn't enjoy
> widespread support) and defining its effects on access tokens would require
> a lot more work than what's needed to achieve the step up scenario.
> I hope this helps!
> Cheers,
> V.
> On Wed, Nov 2, 2022 at 10:30 AM Takahiko Kawasaki <t...@authlete.com>
> wrote:
>
>> *This message originated outside your organization.*
>>
>> ------------------------------
>>
>> Hello,
>>
>> If a client application wants to make the authorization server return
>> error=unmet_authentication_requirements when none of requested ACRs is
>> satisfied, the client application should request the "acr" claim as an
>> "essential" claim. A straightforward way is to embed
>> "acr":{"essential":true,"values":[...]} in the "claims" request parameter
>> (OIDC Core Section 5.5). (NOTE: the "acr_values" request parameter and the
>> "default_acr_values" client metadata cannot request claims as essential.)
>>
>> The draft of OAuth 2.0 Step-up Authentication Challenge Protocol
>> recommends that ACRs requested by the "acr_values" request parameter be
>> treated as required (= essential). The recommendation may be okay, but it
>> should be better for the specification to mention additionally that there
>> is a standardized way to request the "acr" claim as essential. That is, it
>> is better to introduce "acr":{"essential":true,"values":[...]} somewhere in
>> the specification.
>>
>> Best Regards,
>> Takahiko Kawasaki
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to