[keycloak-dev] acr and acr_values

Martin Hardselius martin.hardselius at gmail.com
Thu Feb 16 04:08:23 EST 2017 

There's a bunch of different use-cases, but step-up authentication is
indeed one of them. In addition to email/uname + pwd, sms otp or TOTP we
need to support means of authentication with higher levels of assurance.
Like Norwegian BankID, Swedish BankID, Danish NemID, Finnish Tupas,
Estonian ESTEeID, etc. This is something that we could probably accomplish
with cunning use of query parameters and prompt=login, and it would
resemble the standard way to do it, but it would still be somewhat hackish.

Since this is also telco related, we're looking at Mobile Connect down the
road, and acr and acr_values are required by the Mobile Connect profile.

https://developer.mobileconnect.io/mobile-connect-profile-v1-2

The ideas you listed all look super relevant. One thing that I would find
useful is support for a "method portal" of sorts. The End-User would be
able to select her method of authentication. This is relevant when you have
several options on a single assurance level. Like in Norway, where we have
both BankID and Buypass.

I hope this made sense.

Martin

On Thu, 16 Feb 2017 at 09:21 Stian Thorgersen <sthorger at redhat.com> wrote:

> Can you elaborate on your use-case?
>
> We have some plans to introduce a step-up-authentication mechanism. The
> main idea is to have the concept of authentication levels. In the
> authentication flows there would be additional metadata that would set the
> authentication level. This means the authentication level can be set
> independently to authenticators and authenticators doesn't even have to be
> aware of it.
>
> In summary a login flow would look something like:
>
> * Username/password form
> * Set authentication level = 1
> * OTP form
> * Set authentication level = 2
>
> Behind the covers the authentication processor would know at which point
> in the flow it's possible to exit the flow depending on the level
> requested. The level requested would be base on:
>
> * Realm default
> * Client default
> * Client requested
>
> It would also support the client being able to initially request for level
> 1 then later ask for level 2. The authentication processor would it that
> case be able to skip the parts of the flow that was previously executed.
>
> We also had an idea about allowing alternative flows depending on what
> level you are going from and to. This could be relevant if authenticators
> allow collecting more than one thing on a single form. For example there
> could be alternative authenticators for username-only, username+password,
> username+password+otp. This would be done by having conditions on which
> flow to select.
>
>
> On 15 February 2017 at 14:46, Martin Hardselius <
> martin.hardselius at gmail.com> wrote:
>
> We're in the process of adding support for different levels of assurance in
> our custom installation, which means that proper support for acr and
> acr_values is becoming more of a priority. What's the status on this? Can
> we assist with a PR?
>
> https://issues.jboss.org/browse/KEYCLOAK-3314
>
> This might fit better into keycloak-user, but if you already have plans for
> acr-stuff, or planned refactorings that would affect how this is
> implemented, I'd be happy for some advice on how to proceed with a
> temporary solution.
>
> Regards,
> Martin
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>

More information about the keycloak-dev mailing list