[GAIN-POC] prompt and acr_values in the authz request should be optional - default applied

Question

[GAIN-POC] prompt and acr_values in the authz request should be optional - default applied

Opened this issue 2 years ago · 6 comments

May we say that the RP is not forced having acr_values in the request, and the OP SHOULD adopt its most secure or its default?

In other words, I'd say that the OP adopts its default if the RP doesn't request for some specific acr_values

do you agree?
In the current specs it is not clear which parameters are mandatory and which are optional

Answer 1 · 2023-02-27T23:32:25.000Z

At the same way the parameter "prompt"

it should be optional and the IDP should act with its defaults if the RP omits that

Answer 2 · 2023-02-28T08:19:59.000Z

In SPID acr_values and prompt are mandatory, see LL.GG. OIDC SPID

Answer 3 · 2023-02-28T09:14:14.000Z

That's why I am suggesting to not have them mandatory and the idp should define their default

Answer 4 · 2023-02-28T09:48:18.000Z

^ @AntonioFlorio @agcolella @nunzionapoli
I think it's better for SPID to keep the claims as mandatory, as defined in the guidelines

Answer 5 · 2023-02-28T11:02:53.000Z

These claims are very important for interoperability with different systems/federation outside the italy.

I tag this issue with gain-poc that's the stage where I'm facing all the interoperability issues with third parties

Answer 6 · 2023-02-28T12:00:36.000Z

FYI 1

OpenID Connect Dynamic Client Registration 1.0 defines the default_acr_values client metadata as follows.

OPTIONAL. Default requested Authentication Context Class Reference values. Array of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the supported acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.

FYI 2

OAuth 2.0 Step-up Authentication Challenge Protocol recommends that an ACR request by the acr_values request parameter (which requests the acr claim as a voluntary claim) be “treated as required” and the authorization server return the unmet_authentication_requirements error in case none of specified ACRs can be satisfied.

See "Unmet Authentication Requirements for Step-up Authentication" for details.