Can someone explain ACR return values in OIDC?

Question

See bottom for final questions

So I understand the basic concept of the acr value. I know it "specifies a set of business rules that authentications are being requested to satisfy. These rules can often be satisfied by using a number of different specific authentication methods, either singly or in combination."

However I am confused on the return value. I know that if I request in the scope of response an acr claim (as an essential claim) I have to specify the values parameter for a specific authentication context class reference.

This is where I get confused. When I looked for acr return values (the authentication context class reference) I found a number of different LOA profiles I could reference (https://www.iana.org/assignments/loa-profiles/loa-profiles.xhtml). However, only one profile seemed to be referenced in the OIDC documents (and is related to the US) -- InCommon.

When I searched InCommon's website, it is unclear to me if the IdP is required to be certified with InCommon, to return an ACR value.

The following excerpt is from InCommon's website:

"How Does it Work? The InCommon community has developed and published the Bronze and Silver profiles, which define the specific criteria an Identity Provider must meet to become certified. An Identity Provider incorporates these criteria into its identity and access management system. In the case of Bronze, the Identity Provider can either conduct an audit to prove compliance with the profile or can simply sign a statement (self-assert) that it meets the criteria. Silver requires an audit, which can typically be done by an internal auditor not directly associated with the IT operation."

---

I am also confused on how the return value works since the OIDC documentation gives an example "return" value for acr as:

"acr": {"values": ["urn:mace:incommon:iap:silver"]}

Yet, when I look at the acr return value example on Microsoft's Website, it gives an acr return value of 0.

"acr": "0"

---

So my final questions: 1. Can someone please explain if an IdP (providing a token) is required to be certified to provide an acr return value. 2. Is the return value "incommon:iap:silver" or "0"?

Answer 1

You can view the ACR values as a set of arbitrary values that the client and idp agreed upon to communicate the level of authentication that happened. This is to give the client a level of confidence on the qualify of the authentication that took place.

There are no "official" values for them. They should be communicated via the acr_values_supported parameter of OIDC discovery response. Please see https://openid.net/specs/openid-connect-discovery-1_0.html (OpenID Connect Discovery 1.0) for more on this.

As they are not required parameters, there is a fair amount of flexibility in how they are implemented and interpreted. In my understanding, the IDP will perform an authentication process based on the provided acr_values in the request as it see fit. Usually, this means if the client provides a value that the IDP understands, it will be respected. However, if an unsupported value is provided, there is no guarantee that it will be interpreted (nor it should result in error either), and the IDP may just resort to a default authentication process and return the corresponding ACR value to the client.

The client, on the other hand, may elect to inspect the acr_values field in the ID token and decide if the level of authentication that happened truly satisfies what the client needs to perform. If so, carry on with the identity; if not, reject the identity assertion.

Hope it addresses your question.