Authentication Context Class Reference


Authentication Context Class Reference is a Identifier for an Authentication Context Class

Authentication Context Class Reference (acr) is an OPTIONAL parameter within the Identity Token or the userinfo_endpoint for OpenID Connect for Authentication Context Class Reference.

The Authentication Context Class Reference is case-sensitive string specifying a list of Authentication Context Class values that identifies the Authentication Context Class Values that the authentication performed satisfied implying a Level Of Assurance.

An absolute URI or an entry from An IANA Registry for Level of Assurance (LoA) Profiles (RFC 6711) SHOULD be used as the acr value.

  • registered names MUST NOT be used with a different meaning than that which is registered.
  • Parties using this claim will need to agree upon the meanings of the values used, which MAY be context specific.

The value "0"#

The value "0" indicates the End-User authentication did not meet the requirements of ISO/IEC 29115 ISO 29115 level 1.

Authentication using a long-lived browser cookie, for instance, is one example where the use of "level 0" is appropriate.

Authentications with level 0 SHOULD NOT be used to authorize access to any resource of any monetary value. (This corresponds to the OpenID 2.0 PAPE OpenID.PAPE nist_auth_level 0.)

OpenID Connect Providers #

OpenID Connect Providers MUST support requests for specific Authentication Context Class Reference values via the acr_values parameter, as defined in OpenID.Core Section 3.1.2.
Note that the minimum level of support required for the acr_values parameter by OpenID Connect Providers is simply to have Authentication Context Class Reference use not result in an error.

acr_values_supported parameter within the openid-configuration MAY provide which Authentication Context Class Reference are supported by the OpenID Connect Provider

OpenID Connect Relying Party#

On a typical OpenID Connect Authentication flow, the Relying Party can optionally specify how the Resource Owner should be authenticated by means of the acr_values Authentication Request parameter which can include multiple values.

If the Relying Party provides the acr_values parameter, the id_token or the userinfo_endpoint MUST include a OpenID Connect Claim named acr that equals the same value of acr_values or equals one of the OpenID Connect Provider values.

Relying Party MAY using the Authorization Request request the acr Claim using the Authorization Request acr_values parameter as either a as either:

If the client requests the acr OpenID Connect Claims using both the acr_values request parameter and an individual acr Claim request for the id_token listing specific requested values, the resulting behavior is unspecified.

The Client SHOULD check that the asserted Claim acr Value is appropriate. The meaning and processing of acr Claim Values is out of scope OpenID.Core.

default_acr_values can be provide the Relying Party's default Authentication Context Class Values within the OAuth Dynamic Client Registration Metadata entry.

More Information#

There might be more information for this subject on one of the following: