<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] is a Identifier for an [Authentication Context Class]

[{$pagename}] ([acr]) is an __OPTIONAL__ parameter within the [Identity Token] or the [userinfo_endpoint] for [OpenID Connect] for [{$pagename}]. 

The [{$pagename}] is [case-sensitive] [string] specifying a list of [Authentication Context Class] values that identifies the [Authentication Context Class Values] that the [authentication] performed satisfied implying a [Level Of Assurance]. 

An absolute [URI] or an entry from [An IANA Registry for Level of Assurance (LoA) Profiles] ([RFC 6711]) [SHOULD] be used as the [acr] value.
* registered names [MUST NOT] be used with a different meaning than that which is registered.
* Parties using this claim will need to agree upon the meanings of the values used, which [MAY] be [context] specific. 

!! The value &quot;0&quot;
The value &quot;0&quot; indicates the [End-User] [authentication] did not meet the requirements of ISO/IEC 29115 [ISO 29115] level 1. 

[Authentication] using a long-lived browser cookie, for instance, is one example where the use of &quot;level 0&quot; is appropriate. 

[Authentications] with level 0 [SHOULD NOT] be used to [authorize|Authorization] access to any resource of any monetary value. (This corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] nist_auth_level 0.) 

!! [OpenID Connect Providers] 
[OpenID Connect Providers] [MUST] support requests for specific [Authentication Context Class Reference] values via the [acr_values] parameter, as defined in [OpenID.Core] Section 3.1.2. 

%%information
Note that the minimum level of support required for the [acr_values] parameter by [OpenID Connect Providers] is simply to have [{$pagename}] use __not__ result in an error.
%%

[acr_values_supported] [parameter] within the [openid-configuration] [MAY] provide which [Authentication Context Class Reference] are supported by the [OpenID Connect Provider]

!! [OpenID Connect] [Relying Party]
On a typical [OpenID Connect] Authentication flow, the [Relying Party] can optionally specify how the [Resource Owner] should be [authenticated] by means of the [acr_values] [Authentication Request] parameter which can include multiple values.

If the [Relying Party] provides the [acr_values] parameter, the [id_token] or the [userinfo_endpoint] [MUST] include a [OpenID Connect Claim] named [acr] that equals the same value of [acr_values] or equals one of the [OpenID Connect Provider] values.

[Relying Party] [MAY] using the [Authorization Request] request the [acr] Claim using the [Authorization Request] [acr_values] parameter as either a as __either__: 
* a [Voluntary Claim] - where if a requested value cannot be provided, the [Authorization Server] [SHOULD] return the session's current [acr] as the value of the [acr] Claim.
** the [Authorization Server] is not required to provide this Claim in its response.
* an [Essential Claim] - where if a requested value cannot be provided, then the [Authorization Server] [MUST] treat that outcome as a __failed__ [authentication] attempt.

If the client requests the [acr] [OpenID Connect Claims] using __both__ the [acr_values] request parameter and an individual [acr] Claim request for the [id_token] listing specific requested values, the resulting behavior is __unspecified__.

The Client [SHOULD] check that the asserted Claim [acr] Value is appropriate. The meaning and processing of [acr] Claim Values is out of scope [OpenID.Core].

[default_acr_values] can be provide the [Relying Party]'s default [Authentication Context Class Values] within the [OAuth Dynamic Client Registration Metadata] entry.


!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
</pre>