Menu
▾
▴
Re: [Unity-idm-discuss] Is ACR forwarding to upstream OP supported?
|
From: Roman K. <ro...@un...> - 2025-10-31 11:41:17
|
Hi Sander, Indeed it looks like there is a regression, I'll open a ticket to cover that and target it for the next release, unless this is an urgent matter - please let me know. Kind regards, Roman śr., 29 paź 2025 o 16:55 Sander Apweiler <sa....@fz...> napisał(a): > Dear Roman, > thanks for the detailed answer. In case of forwarding, we recognized > that the arc_values parameter from downstrem RP was not added. > > Best regards, > Sander > > On Wed, 2025-10-29 at 15:21 +0100, Roman Krysiński wrote: > > Hi Sander, > > You’re right - in Unity, when the ACR handling mode is set to fixed, > > the ACR request is not sent using the acr_values parameter. Instead, > > Unity adds the ACR information through the claims parameter in the > > authorization request. > > This is intentional and aligns with the OpenID Connect Core > > specification, which allows two equivalent ways to request an ACR: > > 1. > > via the simple acr_values request parameter, or > > 2. > > via the richer claims parameter that supports “essential” ACR > > requests and more detailed semantics (see OIDC §5.5.1 and §5.5.1.1). > > Unity uses the second form (the claims parameter) for fixed ACR > > configuration, since it provides better precision and flexibility — > > for example, it allows expressing essential ACR requirements. > > When ACR is set to forwarded, Unity simply forwards whatever format > > was present in the downstream request — that can be either acr_values > > or claims, depending on the client’s request. > > So in short: > > * > > Fixed mode → ACR sent inside claims (not visible as acr_values) > > * > > Forward mode → Unity preserves the original form (either > > acr_values or claims) > > Best regards, > > Roman > > > > > > > > wt., 28 paź 2025 o 08:16 Sander Apweiler <sa....@fz...> > > napisał(a): > > > Hi Krzysztof, > > > hi Roman, > > > > > > is the ACR forwarding to upstream OPs supported? I knowthere are > > > configuration options, but if we test with forwarding and even with > > > fixed ACR config to OP, the acr_values are not added in the > > > authorization call. We do not see them in our logs and also the OP > > > does > > > not receive them. > > > > > > Best regards, > > > Sander > > > > > -- > Large-Scale Data Science > Juelich Supercomputing Centre > > phone: +49 2461 61 8847 > fax: +49 2461 61 6656 > email: sa....@fz... > > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > Forschungszentrum Jülich GmbH > 52425 Jülich > Sitz der Gesellschaft: Jülich > Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Stefan Müller > Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende), > Dr. Stephanie Bauer (stellvertretende Vorsitzende), > Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss > |
