Require and/or describe authentication methods in ID Token

[woutermont]

Because of its decentralized nature, authentication in Solid relies on the trust between a Client and an Identity Provider (OP). This trust can partially be based on the trust between the End-User and the OP (via the solid:oidcIssuer triple in the identity document), but also needs to be complemented with trust in the authentication mechanism(s) of that OP.

It would be valuable if the Solid-OIDC specification requires the use, or at least describes the possibility, of the following optional fields in the OP metadata (.well-known/oidc-configuration) and the retrieved ID Tokens, respectively.

• acr_values_supported: [a] JSON array containing a list of the Authentication Context Class References that [the] OP supports

• acr: [a] string specifying an Authentication Context Class Reference value that identifies the Authentication Context Class that the authentication performed satisfied

Interesting Authentication Context Class References are OpenID PAPE levels or IANA LoA profiles. Any other absolute URI can also be used, assuming that there is a shared understanding of its meaning.

[woutermont]

Thanks to @laurensdeb for pointing this out, and @RubenVerborgh for providing the opportunity for interaction 🙏