Menu
▾
▴
Re: [Unity-idm-discuss] Is ACR forwarding to upstream OP supported?
|
From: Roman K. <ro...@un...> - 2025-11-06 09:54:24
|
Dear Sander, Please let me know your thoughts on this matter. Kind regards, Roman pon., 3 lis 2025 o 12:59 Roman Krysiński <ro...@un...> napisał(a): > Dear Sander, > > After testing and reviewing the code for ACR forwarding, it appears that > Unity always forwards the ACR request in the form of claims, regardless of > whether the original request used acr_values or claims. > This means the forwarding is semantic rather than strict — Unity preserves > the meaning of the ACR request, but normalizes it to the claims > representation instead of copying the original parameter format. > > Could you please confirm if this aligns with what you’re observing on your > end, and whether a strict parameter-level forward would be preferable in > your use case? > > Kind regards, > Roman > > > pt., 31 paź 2025 o 12:40 Roman Krysiński <ro...@un...> napisał(a): > >> Hi Sander, >> >> Indeed it looks like there is a regression, I'll open a ticket to cover >> that and target it for the next release, unless this is an urgent matter - >> please let me know. >> >> Kind regards, >> Roman >> >> >> śr., 29 paź 2025 o 16:55 Sander Apweiler <sa....@fz...> >> napisał(a): >> >>> Dear Roman, >>> thanks for the detailed answer. In case of forwarding, we recognized >>> that the arc_values parameter from downstrem RP was not added. >>> >>> Best regards, >>> Sander >>> >>> On Wed, 2025-10-29 at 15:21 +0100, Roman Krysiński wrote: >>> > Hi Sander, >>> > You’re right - in Unity, when the ACR handling mode is set to fixed, >>> > the ACR request is not sent using the acr_values parameter. Instead, >>> > Unity adds the ACR information through the claims parameter in the >>> > authorization request. >>> > This is intentional and aligns with the OpenID Connect Core >>> > specification, which allows two equivalent ways to request an ACR: >>> > 1. >>> > via the simple acr_values request parameter, or >>> > 2. >>> > via the richer claims parameter that supports “essential” ACR >>> > requests and more detailed semantics (see OIDC §5.5.1 and §5.5.1.1). >>> > Unity uses the second form (the claims parameter) for fixed ACR >>> > configuration, since it provides better precision and flexibility — >>> > for example, it allows expressing essential ACR requirements. >>> > When ACR is set to forwarded, Unity simply forwards whatever format >>> > was present in the downstream request — that can be either acr_values >>> > or claims, depending on the client’s request. >>> > So in short: >>> > * >>> > Fixed mode → ACR sent inside claims (not visible as acr_values) >>> > * >>> > Forward mode → Unity preserves the original form (either >>> > acr_values or claims) >>> > Best regards, >>> > Roman >>> > >>> > >>> > >>> > wt., 28 paź 2025 o 08:16 Sander Apweiler <sa....@fz...> >>> > napisał(a): >>> > > Hi Krzysztof, >>> > > hi Roman, >>> > > >>> > > is the ACR forwarding to upstream OPs supported? I knowthere are >>> > > configuration options, but if we test with forwarding and even with >>> > > fixed ACR config to OP, the acr_values are not added in the >>> > > authorization call. We do not see them in our logs and also the OP >>> > > does >>> > > not receive them. >>> > > >>> > > Best regards, >>> > > Sander >>> > > >>> >>> -- >>> Large-Scale Data Science >>> Juelich Supercomputing Centre >>> >>> phone: +49 2461 61 8847 >>> fax: +49 2461 61 6656 >>> email: sa....@fz... >>> >>> ----------------------------------------------------------------------- >>> ----------------------------------------------------------------------- >>> Forschungszentrum Jülich GmbH >>> 52425 Jülich >>> Sitz der Gesellschaft: Jülich >>> Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 >>> Vorsitzender des Aufsichtsrats: MinDir Stefan Müller >>> Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende), >>> Dr. Stephanie Bauer (stellvertretende Vorsitzende), >>> Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers >>> ----------------------------------------------------------------------- >>> ----------------------------------------------------------------------- >>> >>> >>> >>> _______________________________________________ >>> Unity-idm-discuss mailing list >>> Uni...@li... >>> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss >>> >> |
