Technical Summary
It is not uncommon for resource servers to require different
authentication strengths or recentness according to the
characteristics of a request. This document introduces a mechanism
for a resource server to signal to a client that the authentication
event associated with the access token of the current request does
not meet its authentication requirements and specify how to meet
them. This document also codifies a mechanism for a client to
request that an authorization server achieve a specific
authentication strength or recentness when processing an
authorization request.
Working Group Summary
There was WG consensus to publish this document and no noteworthy controversy.
Document Quality
1. Ping Identity
Has implementations of the functionality in this document for the authorization
server and resource server roles.
https://docs.pingidentity.com/r/en-us/pingaccess-71/mhu1564006734179https://docs.pingidentity.com/r/en-us/pingfederate-112/pf_authoriz_endpoint
2. Authlete
Authlete 2.3, which is planned to be released next month (January 2023),
supports OAuth 2.0 Step-up Authentication Challenge Protocol.
https://www.authlete.com/developers/stepup_authn/
3. HelseID is planning to implement this:
https://helseid.atlassian.net/wiki/spaces/HELSEID/pages/493256708/How+to+do+a+step-up+of+the+authentication+level+of+a+user#Step-up-for-APIs
4. Apache HTTPd
The plan is to add support to the next release of mod_oauth2, an Apache HTTPd
module. https://github.com/zmartzone/mod_oauth2/blob/master/README.md
5. Duende
The current version of Duende IdentityServer supports everything included in
this proposal, except for the new unmet_authentication_requirement error which
has been added for v6.3.0 being released this summer.
https://duendesoftware.com/
Personnel
- Document Shepherd: Rifaat Shekh-Yusef
- Responsible AD: Roman Danyliw