Specifying authentication journeys using ACR values
The Ping SDKs for Android, iOS, and JavaScript leverage the standards-based authorization code flow with PKCE.
When using OIDC login the client app can request which flow the authorization server uses by adding an Authentication Context Class Reference (ACR) parameter during the process.
In the OpenID Connect specification the ACR parameter identifies a set of criteria that the user must satisfy when authenticating to the OpenID provider. For example, which authentication journey or DaVinci flow the user should complete.
Adding ACR parameters
Select your platform below to learn how to add an ACR parameter to your applications.
-
Android
-
iOS
-
JavaScript
In the FRUser.browser() method, use the setAdditionalParameters function to add an acr_values parameter, and one or more ACR values:
FRUser.browser().appAuthConfigurer()
.authorizationRequest(r → {
Map<String, String> additionalParameters = new HashMap<>();
additionalParameters.put("acr_values", "RegistrationJourney");
r.setAdditionalParameters(additionalParameters)
})
.done()
.login(this, new FRListener<FRUser>() {
@Override
public void onSuccess(FRUser result) {
userinfo();
}
@Override
public void onException(Exception e) {
System.out.println(e);
}
});Replace RegistrationJourney with the ACR key that your authorization server requires.
- PingOne
-
Enter a single DaVinci policy, by using its flow policy ID, or one or more PingOne policies by specifying the policy names, separated by spaces or the encoded space character
%20.Examples:
- DaVinci flow policy ID
-
"d1210a6b0b2665dbaa5b652221badba2" - PingOne policy names
-
"Single_Factor%20Multi_Factor"
- PingOne Advanced Identity Cloud or PingAM
-
Enter one or more of the ACR mapping keys as configured in the OAuth 2.0 provider service.
To learn more, refer to Configure acr claims.
You can list the available keys by inspecting the acr_values_supportedproperty in the output of your OAuth 2.0 client’s/oauth2/.well-known/openid-configurationendpoint.
In the FRUser.browser() method, use the setCustomParam function to add an acr_values key parameter, and one or more ACR values:
func performCentralizedLogin() {
FRUser.browser()?
.set(presentingViewController: self)
.set(
browserType: .authSession)
#.setCustomParam(
key: "acr_values",
value: "RegistrationJourney")
.build().login { (user, error) in
self.displayLog("User: \(String(describing: user)) || Error: \(String(describing: error))")
}
return
}Replace RegistrationJourney with the ACR key that your authorization server requires.
- PingOne
-
Enter a single DaVinci policy, by using its flow policy ID, or one or more PingOne policies by specifying the policy names, separated by spaces or the encoded space character
%20.Examples:
- DaVinci flow policy ID
-
"d1210a6b0b2665dbaa5b652221badba2" - PingOne policy names
-
"Single_Factor%20Multi_Factor"
- PingOne Advanced Identity Cloud or PingAM
-
Enter one or more of the ACR mapping keys as configured in the OAuth 2.0 provider service.
To learn more, refer to Configure acr claims.
You can list the available keys by inspecting the acr_values_supportedproperty in the output of your OAuth 2.0 client’s/oauth2/.well-known/openid-configurationendpoint.
In the TokenManager.getTokens() method, add an acr_values query parameter, and one or more ACR values:
await TokenManager.getTokens({
login: 'redirect',
query: {
acr_values: "RegistrationJourney"
}
});Replace RegistrationJourney with the ACR key that your authorization server requires.
- PingOne
-
Enter a single DaVinci policy, by using its flow policy ID, or one or more PingOne policies by specifying the policy names, separated by spaces or the encoded space character
%20.Examples:
- DaVinci flow policy ID
-
"d1210a6b0b2665dbaa5b652221badba2" - PingOne policy names
-
"Single_Factor%20Multi_Factor"
- PingOne Advanced Identity Cloud or PingAM
-
Enter one or more of the ACR mapping keys as configured in the OAuth 2.0 provider service.
To learn more, refer to Configure acr claims.
You can list the available keys by inspecting the acr_values_supportedproperty in the output of your OAuth 2.0 client’s/oauth2/.well-known/openid-configurationendpoint.