OIDC QoA Specification
Previously, application owners had to select the exact authentication methods (password, mTAN, AuthApp, Vasco, Kerberos, Smartcard, Mobile ID, FIDO security key) that the user could use to access the application.With the new QoA concept, the corresponding QoA class can be specified directly in the OIDC, thus opening up the possibility of presenting the user with all authentication methods that at least correspond to this QoA level.
The information regarding the QoA concept can be found at: Quality of Authentication (QoA)
eIAM "AuthnContextClasses"
These are the new "AuthnContextClasses" to request authentication of a user:| Authentication Level | AuthnContextClasses |
|---|---|
| QoA10 | urn:qoa.eiam.admin.ch:names:tc:ac:classes:10 |
| QoA20 | urn:qoa.eiam.admin.ch:names:tc:ac:classes:20 |
| QoA30 | urn:qoa.eiam.admin.ch:names:tc:ac:classes:30 |
| QoA40 | urn:qoa.eiam.admin.ch:names:tc:ac:classes:40 |
| QoA50 | urn:qoa.eiam.admin.ch:names:tc:ac:classes:50 |
| QoA51 | urn:qoa.eiam.admin.ch:names:tc:ac:classes:51 |
| QoA60 | urn:qoa.eiam.admin.ch:names:tc:ac:classes:60 |
Example of an OIDC authentication request "acr_values"
You can request a specific QoA with the parameter acr_values in the authentication request. The value of the parameter must be one of the QoA urn (e.g. urn:qoa.eiam.admin.ch:names:tc:ac:classes:40), the urn must be decoded by url. If you specify an invalid acr value, authentication will fail.These parameters must be url-encoded
| Paramteter | Remarks |
|---|---|
| response_type | Has always to be code. As we only support the authorization code code flow |
| scope | Scope is always openid. |
| client_id | Will be provided by eIAM during the integration of the app |
| redirect_uri | All redirect urls which will be used by the application needs to be provided to eIAM. The url which is provided with this parameter must be known by us otherwiese the request will fail. |
| acr_values | This parameter is used to request the qoa which is required to access the application. |
Example of the "OIDC response"
We consider the requested QoA level as the minimum. If the user reaches a higher level, we accept it and inform the application in the response.