Menu
▾
▴
Re: [Unity-idm-discuss] Is ACR forwarding to upstream OP supported?
|
From: Sander A. <sa....@fz...> - 2025-10-29 15:55:38
|
Dear Roman, thanks for the detailed answer. In case of forwarding, we recognized that the arc_values parameter from downstrem RP was not added. Best regards, Sander On Wed, 2025-10-29 at 15:21 +0100, Roman Krysiński wrote: > Hi Sander, > You’re right - in Unity, when the ACR handling mode is set to fixed, > the ACR request is not sent using the acr_values parameter. Instead, > Unity adds the ACR information through the claims parameter in the > authorization request. > This is intentional and aligns with the OpenID Connect Core > specification, which allows two equivalent ways to request an ACR: > 1. > via the simple acr_values request parameter, or > 2. > via the richer claims parameter that supports “essential” ACR > requests and more detailed semantics (see OIDC §5.5.1 and §5.5.1.1). > Unity uses the second form (the claims parameter) for fixed ACR > configuration, since it provides better precision and flexibility — > for example, it allows expressing essential ACR requirements. > When ACR is set to forwarded, Unity simply forwards whatever format > was present in the downstream request — that can be either acr_values > or claims, depending on the client’s request. > So in short: > * > Fixed mode → ACR sent inside claims (not visible as acr_values) > * > Forward mode → Unity preserves the original form (either > acr_values or claims) > Best regards, > Roman > > > > wt., 28 paź 2025 o 08:16 Sander Apweiler <sa....@fz...> > napisał(a): > > Hi Krzysztof, > > hi Roman, > > > > is the ACR forwarding to upstream OPs supported? I knowthere are > > configuration options, but if we test with forwarding and even with > > fixed ACR config to OP, the acr_values are not added in the > > authorization call. We do not see them in our logs and also the OP > > does > > not receive them. > > > > Best regards, > > Sander > > -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Jülich GmbH 52425 Jülich Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Dr. Stephanie Bauer (stellvertretende Vorsitzende), Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
