issues
search
TeskaLabs
/
seacat-auth
SeaCat Auth provides authentication, authorization, identity management, session management and other access control features.
GNU General Public License v3.0
11
stars
6
forks
source link
OIDC `amr` and `acr` claim support
#253
Open
byewokko
opened
1 year ago
byewokko
commented
1 year ago
The
amr
(authentication method reference) claim is a standardized way to inform about the means of authentication that have been used.
Example values:
pwd
password,
mfa
multi-factor auth,
hwk
hardware key...
It should optionally be included in ID token as an array of values that are valid for the current session, e.g.
"amr": ["pwd", "otp", "mfa"]
See the specs here:
https://www.rfc-editor.org/rfc/rfc8176.html
Consider also the related
acr
(Authentication Context Class Reference) claim, which can indicate the "level of authentication" and is configurable.
Specs here
https://openid.net/specs/openid-connect-core-1_0.html#acrSemantics
For example there could be a value
none
meaning "no authentication" (equivalent to our current anonymous/guest sessions with no user authentication), another
pwd
meaning "only password",
mfa
meaning multiple factors etc.
Example implementation values:
Okta
These could be linked to our login factors (
amr
) and login descriptors (
acr
).
amr
(authentication method reference) claim is a standardized way to inform about the means of authentication that have been used.pwd
password,mfa
multi-factor auth,hwk
hardware key..."amr": ["pwd", "otp", "mfa"]
acr
(Authentication Context Class Reference) claim, which can indicate the "level of authentication" and is configurable.none
meaning "no authentication" (equivalent to our current anonymous/guest sessions with no user authentication), anotherpwd
meaning "only password",mfa
meaning multiple factors etc.amr
) and login descriptors (acr
).