Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can someone explain ACR return values in OIDC?

See bottom for final questions

So I understand the basic concept of the acr value. I know it "specifies a set of business rules that authentications are being requested to satisfy. These rules can often be satisfied by using a number of different specific authentication methods, either singly or in combination."

However I am confused on the return value. I know that if I request in the scope of response an acr claim (as an essential claim) I have to specify the values parameter for a specific authentication context class reference.

This is where I get confused. When I looked for acr return values (the authentication context class reference) I found a number of different LOA profiles I could reference (https://www.iana.org/assignments/loa-profiles/loa-profiles.xhtml). However, only one profile seemed to be referenced in the OIDC documents (and is related to the US) -- InCommon.

When I searched InCommon's website, it is unclear to me if the IdP is required to be certified with InCommon, to return an ACR value.

The following excerpt is from InCommon's website:

"How Does it Work? The InCommon community has developed and published the Bronze and Silver profiles, which define the specific criteria an Identity Provider must meet to become certified. An Identity Provider incorporates these criteria into its identity and access management system. In the case of Bronze, the Identity Provider can either conduct an audit to prove compliance with the profile or can simply sign a statement (self-assert) that it meets the criteria. Silver requires an audit, which can typically be done by an internal auditor not directly associated with the IT operation."


I am also confused on how the return value works since the OIDC documentation gives an example "return" value for acr as:

"acr": {"values": ["urn:mace:incommon:iap:silver"]}

Yet, when I look at the acr return value example on Microsoft's Website, it gives an acr return value of 0.

"acr": "0"


So my final questions: 1. Can someone please explain if an IdP (providing a token) is required to be certified to provide an acr return value. 2. Is the return value "incommon:iap:silver" or "0"?

like image 229
cyberwarrior Avatar asked Oct 03 '18 17:10

cyberwarrior


People also ask

What is ACR in OIDC?

Summary. ACR is an abbreviation for Authentication Context Class Reference. An Authentication Context Class specifies a set of business rules that authentications are being requested to satisfy.

What does OIDC return?

OpenID Connect (OIDC) scopes are used by an application during authentication to authorize access to a user's details, like name and picture. Each scope returns a set of user attributes, which are called claims. The scopes an application should request depend on which user attributes the application needs.

How does OIDC authentication work?

OpenID Connect is a simple identity protocol and open standard that is built using the OAuth 2.0 protocol. It enables client applications to rely on authentication that is performed by an OpenID Connect Provider (OP) to verify the identity of a user.

How secure is OIDC?

OIDC Flows Authorization Code Flow: This flow is more secure than Implicit, as tokens are not returned directly. For native/mobile apps and SPA, security may be enhanced by using Proof Key for Code Exchange.

What does ACR mean in OpenID Connect?

Authentication Context Class Reference Values The acr (Authentication Context Class Reference) claim and associated acr_values request parameter are defined by the OpenID Connect Core 1.0 specification [OpenID.Core]. The following Authentication Context Class Reference values are defined by this specification:

What are the ACR_values_supported values in OIDC discovery response?

This is to give the client a level of confidence on the qualify of the authentication that took place. There are no "official" values for them. They should be communicated via the acr_values_supported parameter of OIDC discovery response.

What are the official values for the ACR values?

You can view the ACR values as a set of arbitrary values that the client and idp agreed upon to communicate the level of authentication that happened. This is to give the client a level of confidence on the qualify of the authentication that took place. There are no "official" values for them.

What are the ACR values in IDP?

You can view the ACR values as a set of arbitrary values that the client and idp agreed upon to communicate the level of authentication that happened. This is to give the client a level of confidence on the qualify of the authentication that took place.


1 Answers

You can view the ACR values as a set of arbitrary values that the client and idp agreed upon to communicate the level of authentication that happened. This is to give the client a level of confidence on the qualify of the authentication that took place.

There are no "official" values for them. They should be communicated via the acr_values_supported parameter of OIDC discovery response. Please see https://openid.net/specs/openid-connect-discovery-1_0.html (OpenID Connect Discovery 1.0) for more on this.

As they are not required parameters, there is a fair amount of flexibility in how they are implemented and interpreted. In my understanding, the IDP will perform an authentication process based on the provided acr_values in the request as it see fit. Usually, this means if the client provides a value that the IDP understands, it will be respected. However, if an unsupported value is provided, there is no guarantee that it will be interpreted (nor it should result in error either), and the IDP may just resort to a default authentication process and return the corresponding ACR value to the client.

The client, on the other hand, may elect to inspect the acr_values field in the ID token and decide if the level of authentication that happened truly satisfies what the client needs to perform. If so, carry on with the identity; if not, reject the identity assertion.

Hope it addresses your question.

like image 157
davidiamyou Avatar answered Oct 14 '22 12:10

davidiamyou