" is always a superset of previous
> authentication contexts and include authentication context history in the
> access token to give visibility to the resource server on which
> authentication contexts were satisfied when and how long ago (e.g. include
> the latest acr and auth_time values as
d avoids pushing more complexity
to the client. There is still a risk that the resource server misinterprets the
acr values or history, but that risk already exists, and having the history
enables the resource server to take all the information explicitly into account
when applying policies.
Step 7-9
Hello Rifaat, Brian, Vittorio, everyone,
As a follow up to the last IETF meeting, I've reviewed the step up
authentication draft again.
Aside from a number of typos and what was shared and discussed at the IETF
meeting in person I believe the mechanism could use an AS discovery
component.
I
