https://www.ory.sh/ logo
#general
Title
# general
b

broad-fireman-57222

01/10/2022, 10:26 PM
Hello, I’m a user of ory/fosite. I’d like to know if the fosite should support claims request parameter on oidc validator.
Background... I want to restrict end-user’s authentication by authentication request to AuthZ Server. For example, the AuthZ Server provides multi authentication methods and a RP wants end-user to authenticate by specific authentication method. At first, I was thinking that the
acr_values
is proper request parameter to specify which authentication is required. But, when reading ory/fosite and OpenID Connect Core, using claims request parameter is looks proper option. However, currently, fosite does not support claims request parameter. https://openid.net/specs/openid-connect-core-1_0.html#acrSemantics
Then, what I want to know is that, • Is it correct understanding to implement claims request parameter on fosite to realize that? • Or Is there any way to specified authentication method on the RP?
c

clean-hamburger-91078

01/11/2022, 9:46 AM
I bet it should be claims + amr claim
or you could just use any custom request parameter (added to auth request, like
&auth_type=someth
) and then parse it in login app via
request_uri
parameter in login request retrieved from Hydra
Then you add "amr" claim to context of access/id tokens (upon auth completion) and you are able to distinguish tokens issued with different auth methods and your RP is able to request re-authentication in case of insufficient auth level
b

broad-fireman-57222

01/11/2022, 10:23 PM
Thank you for your reply!
I bet it should be claims + amr claim
I agree with to use claims request parameter. Using custom request parameter is one of the options. But I want to follow standard spec as much as possible. I’m not sure the claims request parameter it self is actually using in some IdP though... At least I don’t know a IdP that is supported claims request parameter lol. Anyway, I will post a issue on ory/fosite …