Menu
▾
▴
Re: [Unity-idm-discuss] Is ACR forwarding to upstream OP supported?
|
From: Sander A. <sa....@fz...> - 2025-11-06 10:45:19
|
Dear Roman, I was on a business trip this week. I'll check and come back as soon as possible. Best regards, Sander On Thu, 2025-11-06 at 10:53 +0100, Roman Krysiński wrote: > Dear Sander, > > Please let me know your thoughts on this matter. > > Kind regards, > Roman > > > pon., 3 lis 2025 o 12:59 Roman Krysiński <ro...@un...> > napisał(a): > > Dear Sander, > > > > After testing and reviewing the code for ACR forwarding, it appears > > that Unity always forwards the ACR request in the form of claims, > > regardless of whether the original request used acr_values or > > claims. > > This means the forwarding is semantic rather than strict — Unity > > preserves the meaning of the ACR request, but normalizes it to the > > claims representation instead of copying the original parameter > > format. > > > > Could you please confirm if this aligns with what you’re observing > > on your end, and whether a strict parameter-level forward would be > > preferable in your use case? > > > > Kind regards, > > Roman > > > > > > pt., 31 paź 2025 o 12:40 Roman Krysiński <ro...@un...> > > napisał(a): > > > Hi Sander, > > > > > > Indeed it looks like there is a regression, I'll open a ticket to > > > cover that and target it for the next release, unless this is an > > > urgent matter - please let me know. > > > > > > Kind regards, > > > Roman > > > > > > > > > śr., 29 paź 2025 o 16:55 Sander Apweiler > > > <sa....@fz...> napisał(a): > > > > Dear Roman, > > > > thanks for the detailed answer. In case of forwarding, we > > > > recognized > > > > that the arc_values parameter from downstrem RP was not added. > > > > > > > > Best regards, > > > > Sander > > > > > > > > On Wed, 2025-10-29 at 15:21 +0100, Roman Krysiński wrote: > > > > > Hi Sander, > > > > > You’re right - in Unity, when the ACR handling mode is set to > > > > > fixed, > > > > > the ACR request is not sent using the acr_values parameter. > > > > > Instead, > > > > > Unity adds the ACR information through the claims parameter > > > > > in the > > > > > authorization request. > > > > > This is intentional and aligns with the OpenID Connect Core > > > > > specification, which allows two equivalent ways to request an > > > > > ACR: > > > > > 1. > > > > > via the simple acr_values request parameter, or > > > > > 2. > > > > > via the richer claims parameter that supports > > > > > “essential” ACR > > > > > requests and more detailed semantics (see OIDC §5.5.1 and > > > > > §5.5.1.1). > > > > > Unity uses the second form (the claims parameter) for fixed > > > > > ACR > > > > > configuration, since it provides better precision and > > > > > flexibility — > > > > > for example, it allows expressing essential ACR requirements. > > > > > When ACR is set to forwarded, Unity simply forwards whatever > > > > > format > > > > > was present in the downstream request — that can be either > > > > > acr_values > > > > > or claims, depending on the client’s request. > > > > > So in short: > > > > > * > > > > > Fixed mode → ACR sent inside claims (not visible as > > > > > acr_values) > > > > > * > > > > > Forward mode → Unity preserves the original form (either > > > > > acr_values or claims) > > > > > Best regards, > > > > > Roman > > > > > > > > > > > > > > > > > > > > wt., 28 paź 2025 o 08:16 Sander Apweiler > > > > > <sa....@fz...> > > > > > napisał(a): > > > > > > Hi Krzysztof, > > > > > > hi Roman, > > > > > > > > > > > > is the ACR forwarding to upstream OPs supported? I > > > > > > knowthere are > > > > > > configuration options, but if we test with forwarding and > > > > > > even with > > > > > > fixed ACR config to OP, the acr_values are not added in the > > > > > > authorization call. We do not see them in our logs and also > > > > > > the OP > > > > > > does > > > > > > not receive them. > > > > > > > > > > > > Best regards, > > > > > > Sander > > > > > > > > > > -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Jülich GmbH 52425 Jülich Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Dr. Stephanie Bauer (stellvertretende Vorsitzende), Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
