Authentication ACR TIA Plugin

Authorize the issuance of a scope based on the ACR of the user authentication.

Use Cases#

Authorizing the issuance of scopes based on the ACR of user authentication can increase the trust that can be placed on the scope being issued to the expected user. For example, when a scope that gives access to a higher value resource or operation is requested, it might require the use of a particular authenticator or multi-factor-authentication to have happened.

Process#

The Authentication ACR TIA plugin evaluates the Authentication Attributes to find out the ACR that was used to authenticate the user. Based on configuration, the plugin can indicate that

the ACR was explicitly allowed by a whitelist (required-acr) allowing the scope to be issued
it was not in the whitelist and the scope will be denied

Administration

System and Operation

Facilities

Profiles

Developer Guide

Configuration Reference

Authentication ACR TIA Plugin

Use Cases#

Process#