Hello I read your document and I just want to say that I already manage ACR with multiple clientId to protect encapsulated domains.
For example for an ecommerce site I got a global clientId to allow user to connect to the site and specific clientId to protect user information like address or bank account. [cid:image002.png@01DAC877.6C1F6070] When the client want to access to the protected user information, it will be redirected to the specific clientId, and the authorization server will provide a new authentication with, if necessary, a second factor. Client can also, if it know that it must provide a specific token for this domain, request this specific token with a token exchange request. Don't hesitate to tell me if I'm wrong and explain you point of view between multiple clientId (for multiple domains) and ACR Regards Stéphane GINER
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
