https://www.ory.sh/ logo
Join Slack
Powered by
This message was deleted.
# general
m
This message was deleted.
b
Background... I want to restrict end-user’s authentication by authentication request to AuthZ Server. For example, the AuthZ Server provides multi authentication methods and a RP wants end-user to authenticate by specific authentication method. At first, I was thinking that the 
acr_values
is proper request parameter to specify which authentication is required. But, when reading ory/fosite and OpenID Connect Core, using claims request parameter is looks proper option. However, currently, fosite does not support claims request parameter. https://openid.net/specs/openid-connect-core-1_0.html#acrSemantics
Then, what I want to know is that, • Is it correct understanding to implement claims request parameter on fosite to realize that? • Or Is there any way to specified authentication method on the RP?
c
I bet it should be claims + amr claim
or you could just use any custom request parameter (added to auth request, like 
&auth_type=someth
) and then parse it in login app via 
request_uri
parameter in login request retrieved from Hydra
Then you add "amr" claim to context of access/id tokens (upon auth completion) and you are able to distinguish tokens issued with different auth methods and your RP is able to request re-authentication in case of insufficient auth level
b
Thank you for your reply!
I bet it should be claims + amr claim
I agree with to use claims request parameter. Using custom request parameter is one of the options. But I want to follow standard spec as much as possible. I’m not sure the claims request parameter it self is actually using in some IdP though... At least I don’t know a IdP that is supported claims request parameter lol. Anyway, I will post a issue on ory/fosite …
2 Views
Open in Slack
PreviousNext
Powered by