Hello, I’m a user of ory/fosite. I’d like to know ...
# general
Hello, I’m a user of ory/fosite. I’d like to know if the fosite should support claims request parameter on oidc validator.
Background... I want to restrict end-user’s authentication by authentication request to AuthZ Server. For example, the AuthZ Server provides multi authentication methods and a RP wants end-user to authenticate by specific authentication method. At first, I was thinking that the
is proper request parameter to specify which authentication is required. But, when reading ory/fosite and OpenID Connect Core, using claims request parameter is looks proper option. However, currently, fosite does not support claims request parameter. https://openid.net/specs/openid-connect-core-1_0.html#acrSemantics
Then, what I want to know is that, • Is it correct understanding to implement claims request parameter on fosite to realize that? • Or Is there any way to specified authentication method on the RP?
I bet it should be claims + amr claim
or you could just use any custom request parameter (added to auth request, like
) and then parse it in login app via
parameter in login request retrieved from Hydra
Then you add "amr" claim to context of access/id tokens (upon auth completion) and you are able to distinguish tokens issued with different auth methods and your RP is able to request re-authentication in case of insufficient auth level
Thank you for your reply!
I bet it should be claims + amr claim
I agree with to use claims request parameter. Using custom request parameter is one of the options. But I want to follow standard spec as much as possible. I’m not sure the claims request parameter it self is actually using in some IdP though... At least I don’t know a IdP that is supported claims request parameter lol. Anyway, I will post a issue on ory/fosite …