My authentication level should depend on my authentication method

[bjdmeest]

My authentication level should depend on my authentication method

Pitch

In Doccle, some documents you can see with username/password; others require a more secure method.
By allowing a combination of multiple authentication methods (ranging from very 'weak' to very 'strong'),
users can log in with very low threshold and get as much UX as possible, with possible progressive increase of security

Desired solution

• Encode the rules for specifying 'weak' and 'strong' authentication methods
• Have authentication rules depending on whether the authentication methods is weak vs strong.
• Automatically apply the right authentication rules

Acceptance criteria

• I log into an app using username/password
• That app shows 2 documents: a useless document and an important document
• I can view the useless document without further ado
• I cannot access the important document.
• If I log into the app with a strong authentication method, I can access all documents

Pointers

• The OpenId Connect 1.0 spec already accommodates requesting the Authentication Context Class of the method of authentication, so you can facilitate this: https://openid.net/specs/openid-connect-core-1_0.html#IDToken (see acr claim)