[keycloak-dev] KEYCLOAK-3314 acr/amr support

Jannik Hüls jannik.huels at googlemail.com
Tue Aug 1 11:53:48 EDT 2017


I would like to contribute to the Keycloak project and implement acr and amr support like described in KEYCLOAK-3314. (However, I don’t know whether this is a good place to start - but at least this is a recent topic very many customers are currently requesting ;-))

My idea would be to implement it in a way Youssef suggested in the comments. Thus every Authenticator of a specific Flow may get a "Authentication Method Reference Value”.
E.g. having two Authenticators ‘pwd’ and ‘top’:

The claim acr_values describes the desired level of an authentication request, thus using acr_values=pwd for the initial response should only trigger the pwd Authenticator and return acr=pwd and amr=[pwd].
A second authentication request using acr_values=otp should only  trigger the otp authenticator, but return acr=otp and amr=[pwd,otp].

Please let me know if you want to implement support of acr and amr - even if my initial thoughts do not correspond to the ideas you have to implement this. :-)

Kind regards

More information about the keycloak-dev mailing list