%% You should probably cite rfc9470 instead of this I-D. @techreport{ietf-oauth-step-up-authn-challenge-00, number = {draft-ietf-oauth-step-up-authn-challenge-00}, type = {Internet-Draft}, institution = {Internet Engineering Task Force}, publisher = {Internet Engineering Task Force}, note = {Work in Progress}, url = {https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn-challenge/00/}, author = {Vittorio Bertocci and Brian Campbell}, title = {{OAuth 2.0 Step-up Authentication Challenge Protocol}}, pagetotal = 11, year = 2022, month = may, day = 11, abstract = {It is not uncommon for resource servers to require different authentication strengths or freshness according to the characteristics of a request. This document introduces a mechanism for a resource server to signal to a client that the authentication event associated with the access token of the current request doesn't meet its authentication requirements and specify how to meet them. This document also codifies a mechanism for a client to request that an authorization server achieve a specific authentication strength or freshness when processing an authorization request.}, }