Closed ajmcmiddlin closed 5 years ago
Related: if I'm correct then I believe the acr
claim in the ID token should change from CONDITIONAL
to REQUIRED
.
That's true for write operations. From my understand read ops do not have such a requirement https://openid.net/specs/openid-financial-api-part-1.html 5.2.2.1 However, I think this a good example of why the profile needs to make it clear what's normative and not be overly prescriptive.
My understanding from FAPI Part 2 §5.2.3 is that the authorisation request must make an
acr
claim as an essential claim. OIDC §5.5.1.1 and OIDC §3.1.2.1 both suggest thatacr_values
, which is currently optional in this spec, is a voluntary claim.It seems to me that to comply with FAPI we must include an
acr
claim as part of the ID Token claims in the request object as per OIDC §5.5 (noting sections 5.5.1 and 5.5.1.1).Furthermore, including both
acr_values
and anacr
claim as part of the ID token claims is unspecified according to OIDC §5.5.1.1.Taken together, this suggests to me that if we want to comply with FAPI (I don't see a good reason not to) we should remove the
acr_values
parameter and instead require theacr
claim be made within the ID token claims.