This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Authentication Context Class Reference
Authentication Context Class Reference

Version management

Difference between version and

At line 1 added 47 lines
!!! Overview
[{$pagename}] is a Identifier for an [Authentication Context Class]
[{$pagename}] ([acr]) is an __OPTIONAL__ parameter within the [Identity Token] or the [userinfo_endpoint] for [OpenID Connect] for [{$pagename}].
The [{$pagename}] is [case-sensitive] [string] specifying a list of [Authentication Context Class] values that identifies the [Authentication Context Class Values] that the [authentication] performed satisfied implying a [Level Of Assurance].
An absolute [URI] or an entry from [An IANA Registry for Level of Assurance (LoA) Profiles] ([RFC 6711]) [SHOULD] be used as the [acr] value.
* registered names [MUST NOT] be used with a different meaning than that which is registered.
* Parties using this claim will need to agree upon the meanings of the values used, which [MAY] be [context] specific.
!! The value "0"
The value "0" indicates the [End-User] [authentication] did not meet the requirements of ISO/IEC 29115 [ISO 29115] level 1.
[Authentication] using a long-lived browser cookie, for instance, is one example where the use of "level 0" is appropriate.
[Authentications] with level 0 [SHOULD NOT] be used to [authorize|Authorization] access to any resource of any monetary value. (This corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] nist_auth_level 0.)
!! [OpenID Connect Providers]
[OpenID Connect Providers] [MUST] support requests for specific [Authentication Context Class Reference] values via the [acr_values] parameter, as defined in [OpenID.Core] Section 3.1.2.
%%information
Note that the minimum level of support required for the [acr_values] parameter by [OpenID Connect Providers] is simply to have [{$pagename}] use __not__ result in an error.
%%
[acr_values_supported] [parameter] within the [openid-configuration] [MAY] provide which [Authentication Context Class Reference] are supported by the [OpenID Connect Provider]
!! [OpenID Connect] [Relying Party]
On a typical [OpenID Connect] Authentication flow, the [Relying Party] can optionally specify how the [Resource Owner] should be [authenticated] by means of the [acr_values] [Authentication Request] parameter which can include multiple values.
If the [Relying Party] provides the [acr_values] parameter, the [id_token] or the [userinfo_endpoint] [MUST] include a [OpenID Connect Claim] named [acr] that equals the same value of [acr_values] or equals one of the [OpenID Connect Provider] values.
[Relying Party] [MAY] using the [Authorization Request] request the [acr] Claim using the [Authorization Request] [acr_values] parameter as either a as __either__:
* a [Voluntary Claim] - where if a requested value cannot be provided, the [Authorization Server] [SHOULD] return the session's current [acr] as the value of the [acr] Claim.
** the [Authorization Server] is not required to provide this Claim in its response.
* an [Essential Claim] - where if a requested value cannot be provided, then the [Authorization Server] [MUST] treat that outcome as a __failed__ [authentication] attempt.
If the client requests the [acr] [OpenID Connect Claims] using __both__ the [acr_values] request parameter and an individual [acr] Claim request for the [id_token] listing specific requested values, the resulting behavior is __unspecified__.
The Client [SHOULD] check that the asserted Claim [acr] Value is appropriate. The meaning and processing of [acr] Claim Values is out of scope [OpenID.Core].
[default_acr_values] can be provide the [Relying Party]'s default [Authentication Context Class Values] within the [OAuth Dynamic Client Registration Metadata] entry.
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop