If an OAuth relying party is configured to have more than one authentication method, it is possible to skip the selection menu or limit the choices using the acr_values parameter in the OIDC authentication request.
This allows a calling application to implement its own discovery capability.
Typically this is usedd to enable an appliccation to skip the discovery service of an upstream IDP by selecting the authentication method already at the relying party.
For this example, we will use an application using OpenID Connect, that is connected to two authentication methods - one is for BankID Mobile and the other is traditional client PKI certificate based BankID.
To enable calling a specific authentication method, you must assign a unique acr_values to each method in the OpenID Connect Authentication Context Class Reference field found in the method settings page (Home → Methods → Select method)
For example, for the method that is for BankID Mobile use bankidmobile
For example, for the method that is for BankID use bankid
When creating the authorization request in the calling application, include the value of the method you wish to select. For example, to select standard BankID use
or for BankID Mobile
If no acr_values parameter is specified, both methods (or all methods enabled for the agent) will be displayed in a menu for the user.
If the request is unsigned, it is important that the relying party verifies that the authentication was performed successfully using the desired method by checking the acr and/or amr (Authentication Method Reference) value in the response returned. The amr value and acr value are visible in the example userinfo response below
If the values do not match what was request, the application must handle the situation.
Where possible, following standard naming conventions for best interoperability. Standard amr values are defined in RFC8176 https://tools.ietf.org/html/rfc8176
The OpenID Connect Authentication Context Class Reference field can accept multiple values separated by a whitespace character.
If more than one method has the same OpenID Connect Authentication Context Class Reference, the user will be shown a selection menu to choose the desired method.
Assigned values in the OpenID Connect Authentication Context Class Reference field become visible in the Configuration String field oidc.acr.
There is an API to retrieve the list of currently configured authentication methods enabled for a given relying party as a JSON response. Refer to Ubisecure SSO Discovery API for more information.
This technique could also be used to enable an application to remember what authentication the user selected on their previous visit and automatically select the same on the next visit. The calling application would have to manage and store this preference information.