Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GAIN-POC] prompt and acr_values in the authz request should be optional - default applied #162

Open
peppelinux opened this issue Feb 27, 2023 · 6 comments
Open

[GAIN-POC] prompt and acr_values in the authz request should be optional - default applied #162

peppelinux opened this issue Feb 27, 2023 · 6 comments
Labels
gain-poc wontfix This will not be worked on

Comments

@peppelinux
Copy link
Member

immagine

May we say that the RP is not forced having acr_values in the request, and the OP SHOULD adopt its most secure or its default?

In other words, I'd say that the OP adopts its default if the RP doesn't request for some specific acr_values

do you agree?
In the current specs it is not clear which parameters are mandatory and which are optional
@peppelinux
Copy link
Member Author

At the same way the parameter "prompt"

it should be optional and the IDP should act with its defaults if the RP omits that

@peppelinux peppelinux changed the title disambiguation on the voluntuary of the acr_values in the authz request disambiguation on the voluntary of the acr_values in the authz request Feb 27, 2023
@damikael
Copy link
Member

In SPID acr_values and prompt are mandatory, see LL.GG. OIDC SPID

@peppelinux
Copy link
Member Author

That's why I am suggesting to not have them mandatory and the idp should define their default

@damikael
Copy link
Member

^ @AntonioFlorio @agcolella @nunzionapoli
I think it's better for SPID to keep the claims as mandatory, as defined in the guidelines

@peppelinux
Copy link
Member Author

These claims are very important for interoperability with different systems/federation outside the italy.

I tag this issue with gain-poc that's the stage where I'm facing all the interoperability issues with third parties

@peppelinux peppelinux changed the title disambiguation on the voluntary of the acr_values in the authz request [GAIN-POC] prompt and acr_values in the authz request should be optional - default applied Feb 28, 2023
@TakahikoKawasaki
Copy link

FYI 1

OpenID Connect Dynamic Client Registration 1.0 defines the default_acr_values client metadata as follows.

OPTIONAL. Default requested Authentication Context Class Reference values. Array of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the supported acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.

FYI 2

OAuth 2.0 Step-up Authentication Challenge Protocol recommends that an ACR request by the acr_values request parameter (which requests the acr claim as a voluntary claim) be “treated as required” and the authorization server return the unmet_authentication_requirements error in case none of specified ACRs can be satisfied.

See "Unmet Authentication Requirements for Step-up Authentication" for details.

@peppelinux peppelinux added the wontfix This will not be worked on label Mar 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
gain-poc wontfix This will not be worked on
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@peppelinux @TakahikoKawasaki @damikael