You can use ACR values to provide support for advanced authentication when you use Okta or any other third-party OAuth provider. These values provide a specific set of assurance level requirements that the protected resource requires from the authentication event associated with access and ID tokens. For more information on how to use the authentication, see Create a Web Client site.
The following table shows example ACR values and the expected parameters that will be sent in the authentication request:
|
Identity Provider |
ACR Values |
Authorization request parameters |
|---|---|---|
|
IDP Value |
blank |
&idp=IDP Value&acr_values=idp:IDP Value |
|
IDP Value |
NULL |
&idp=IDP Value |
|
IDP Value |
Valid Values |
&idp=IDP Value&acr_values=Valid values |
|
No IDP Value |
Valid Values |
&acr_values=Valid values |
|
No IDP Value |
blank |
Ignores the acr_value to be sent in the request |
|
No IDP Value |
NULL |
Ignores the acr_value to be sent in the request |
-
If you are using Okta, a set of predefined optional acr_values parameters is available from Okta support that you can use in your authorization requests.
-
Any unsupported ACR values sent in the authorize request will be ignored by Okta or any other third-party OAuth provider.