Overview#

Authentication Context Class Reference (acr) is an OPTIONAL parameter within the Identity Token for OpenID Connect for Authentication Context Class Reference.

The Authentication Context Class Reference is case sensitive string specifying a list of Authentication Context Class values that identifies the Authentication Context Class that the authentication performed satisfied implying a Level Of Assurance.

An absolute URI or an entry from An IANA Registry for Level of Assurance (LoA) Profiles (RFC 6711) SHOULD be used as the acr value.

  • registered names MUST NOT be used with a different meaning than that which is registered.
  • Parties using this claim will need to agree upon the meanings of the values used, which may be context specific.

The value "0"#

The value "0" indicates the End-User authentication did not meet the requirements of ISO/IEC 29115 ISO 29115 level 1.

Authentication using a long-lived browser cookie, for instance, is one example where the use of "level 0" is appropriate.

Authentications with level 0 SHOULD NOT be used to authorize access to any resource of any monetary value. (This corresponds to the OpenID 2.0 PAPE OpenID.PAPE nist_auth_level 0.)

OpenID Connect Providers #

OpenID Connect Providers MUST support requests for specific Authentication Context Class Reference values via the acr_values parameter, as defined in OpenID.Core Section 3.1.2.
Note that the minimum level of support required for the acr_values parameter by OpenID Connect Providers is simply to have its use not result in an error.

OpenID Connect Relying Party#

Relying Party MAY using the Authorization Request request the acr Claim using the Authorization Request acr_values parameter as either a as either: If the client requests the acr Claim using both the acr_values request parameter and an individual acr Claim request for the ID Token listing specific requested values, the resulting behavior is unspecified.

The Client SHOULD check that the asserted Claim acr Value is appropriate. The meaning and processing of acr Claim Values is out of scope OpenID.Core.

acr, acr_values and acr_values_supported#

Each of these values should be in agreement and all parties should agree on which values will be used.

Parties can query the Openid-configuration to obtain the acr_values_supported for use within the

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-21) was last changed on 14-Mar-2017 11:17 by jim