[keycloak-dev] KEYCLOAK-3314 acr/amr support

Stian Thorgersen sthorger at redhat.com
Thu Aug 17 03:20:35 EDT 2017

Authentication flows and authenticators should be protocol agnostic. We
currently support both OIDC and SAML. In the future we may add more as well.

With that regards there needs to be a protocol agnostic concept of step-up
authentication. We have some design ideas around it, which involves having
conditions within the authentication flows that handles it rather than
having authenticators to it themselves.

Take a look at https://issues.jboss.org/browse/KEYCLOAK-847 that links to a
Google Doc with some notes

On 1 August 2017 at 17:53, Jannik Hüls <jannik.huels at googlemail.com> wrote:

> Hi,
> I would like to contribute to the Keycloak project and implement acr and
> amr support like described in KEYCLOAK-3314. (However, I don’t know whether
> this is a good place to start - but at least this is a recent topic very
> many customers are currently requesting ;-))
> My idea would be to implement it in a way Youssef suggested in the
> comments. Thus every Authenticator of a specific Flow may get a
> "Authentication Method Reference Value”.
> E.g. having two Authenticators ‘pwd’ and ‘top’:
> The claim acr_values describes the desired level of an authentication
> request, thus using acr_values=pwd for the initial response should only
> trigger the pwd Authenticator and return acr=pwd and amr=[pwd].
> A second authentication request using acr_values=otp should only  trigger
> the otp authenticator, but return acr=otp and amr=[pwd,otp].
> Please let me know if you want to implement support of acr and amr - even
> if my initial thoughts do not correspond to the ideas you have to implement
> this. :-)
> Kind regards
> Jannik
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list