Two factor authentication - default acr value

By: kesavan dhilip user 26 Apr 2018 at 9:51 a.m. CDT

2 Responses
kesavan dhilip gravatar
Hi Team, I worked on two-factor authentication(OTP) and also set default ACR value on my client in authorization server, But when request made from client side(React, IOS, Android etc) to access OAuth server with acr_value My problem: I set a default acr_value for my client but the request (acr_value) coming from the client side is overite my default ACR value, I don't want to overwrite the default acr_value which is coming from the client side, If any hacker is used to skip my default authentication(two-factor authentication) like this. please help me out to overite the acr_value
Ubuntu 17.1
closed

Answers

By Michael Schwartz Account Admin 30 Apr 2018 at 2:28 p.m. CDT

Copy
Michael Schwartz gravatar
- It's up to the client to make sure that the `acr` value in the id_token is acceptable. - If you are worried about an attacker changing the `acr_values` param in transit, you should consider using a signed or even better... a signed, encrypted request object. Banking guidelines go even further, requiring request object registration on the server, and then using the `request_object_uri` param, which makes it even more tamper resistant.

By kesavan dhilip user 09 May 2018 at 9:27 a.m. CDT

Copy
kesavan dhilip gravatar
hey Michael, Thanks for your feedback. I don't want my client to override the default acr value. I need that to be integrated because my architecture requires it. Please provide a solution for it, it's very much required for me. thanks Kesavan

Post an answer