Menu
▾
▴
Re: [Unity-idm-discuss] Is ACR forwarding to upstream OP supported?
|
From: Roman K. <ro...@un...> - 2025-11-03 11:59:39
|
Dear Sander, After testing and reviewing the code for ACR forwarding, it appears that Unity always forwards the ACR request in the form of claims, regardless of whether the original request used acr_values or claims. This means the forwarding is semantic rather than strict — Unity preserves the meaning of the ACR request, but normalizes it to the claims representation instead of copying the original parameter format. Could you please confirm if this aligns with what you’re observing on your end, and whether a strict parameter-level forward would be preferable in your use case? Kind regards, Roman pt., 31 paź 2025 o 12:40 Roman Krysiński <ro...@un...> napisał(a): > Hi Sander, > > Indeed it looks like there is a regression, I'll open a ticket to cover > that and target it for the next release, unless this is an urgent matter - > please let me know. > > Kind regards, > Roman > > > śr., 29 paź 2025 o 16:55 Sander Apweiler <sa....@fz...> > napisał(a): > >> Dear Roman, >> thanks for the detailed answer. In case of forwarding, we recognized >> that the arc_values parameter from downstrem RP was not added. >> >> Best regards, >> Sander >> >> On Wed, 2025-10-29 at 15:21 +0100, Roman Krysiński wrote: >> > Hi Sander, >> > You’re right - in Unity, when the ACR handling mode is set to fixed, >> > the ACR request is not sent using the acr_values parameter. Instead, >> > Unity adds the ACR information through the claims parameter in the >> > authorization request. >> > This is intentional and aligns with the OpenID Connect Core >> > specification, which allows two equivalent ways to request an ACR: >> > 1. >> > via the simple acr_values request parameter, or >> > 2. >> > via the richer claims parameter that supports “essential” ACR >> > requests and more detailed semantics (see OIDC §5.5.1 and §5.5.1.1). >> > Unity uses the second form (the claims parameter) for fixed ACR >> > configuration, since it provides better precision and flexibility — >> > for example, it allows expressing essential ACR requirements. >> > When ACR is set to forwarded, Unity simply forwards whatever format >> > was present in the downstream request — that can be either acr_values >> > or claims, depending on the client’s request. >> > So in short: >> > * >> > Fixed mode → ACR sent inside claims (not visible as acr_values) >> > * >> > Forward mode → Unity preserves the original form (either >> > acr_values or claims) >> > Best regards, >> > Roman >> > >> > >> > >> > wt., 28 paź 2025 o 08:16 Sander Apweiler <sa....@fz...> >> > napisał(a): >> > > Hi Krzysztof, >> > > hi Roman, >> > > >> > > is the ACR forwarding to upstream OPs supported? I knowthere are >> > > configuration options, but if we test with forwarding and even with >> > > fixed ACR config to OP, the acr_values are not added in the >> > > authorization call. We do not see them in our logs and also the OP >> > > does >> > > not receive them. >> > > >> > > Best regards, >> > > Sander >> > > >> >> -- >> Large-Scale Data Science >> Juelich Supercomputing Centre >> >> phone: +49 2461 61 8847 >> fax: +49 2461 61 6656 >> email: sa....@fz... >> >> ----------------------------------------------------------------------- >> ----------------------------------------------------------------------- >> Forschungszentrum Jülich GmbH >> 52425 Jülich >> Sitz der Gesellschaft: Jülich >> Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 >> Vorsitzender des Aufsichtsrats: MinDir Stefan Müller >> Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende), >> Dr. Stephanie Bauer (stellvertretende Vorsitzende), >> Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers >> ----------------------------------------------------------------------- >> ----------------------------------------------------------------------- >> >> >> >> _______________________________________________ >> Unity-idm-discuss mailing list >> Uni...@li... >> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss >> > |
