brockallen
commented
3 years ago acr_values is supported.
Closed wollowizard closed 3 years ago
brockallen
commented
3 years ago acr_values is supported.
wollowizard
commented
3 years ago I know that, but there's no way to request an acr as essential using the acr_values. The provider can ignore this. From the specs
acr_values OPTIONAL. Requested Authentication Context Class Reference values. Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value, as specified in Section 2. The acr Claim is requested as a Voluntary Claim by this parameter.
For the claims parameter instead:
"acr": {"essential": true,
"values": ["urn:mace:incommon:iap:silver",
"urn:mace:incommon:iap:bronze"]}specifies that it is Essential that the acr Claim be returned with either the value urn:mace:incommon:iap:silver or urn:mace:incommon:iap:bronze.
brockallen
commented
3 years ago The claims param is something we can add. In the meantime, use the extraQueryParams on the param to the various signInXXX APIs.
I'd like to pass essential acrs and i believe this can only be done in the claims parameter. What would it take to implement it? Is it only a matter of adding the param to the URL generation? Or is there anything else that needs to be done?