...
- Clients MAY indicate the required Authentication context “acr” as part of the client registration process or dynamically as part of a Connect Authorization request.
- Trust frameworks using this profile SHOULD use short names for there Authentication Contexts that are registered in the IANA registry, Full URI may also be used as names, but are not recommended.
- Clients and Personally Identifiable Information (PII)
- The Authorization Server MUST prompt the Resource Owner to explicitly accept all scope parameters requested by the Client. The Authorization Server must ignore any scope parameters received from the Client which the Resource Owner forbidden by the Resource Owner. The Authorization server MAY cache authorization for a client across sessions to avoid re-prompting the user for consent already granted.
- The Authorization Server must provide a way during registration for Clients to register the following:
- Authentication time claim in the id_token is REQUIRED: (require_auth_time) True/False
- Maximum Authentication Age: (default_max_age) Specifies that the End-User MUST be actively authenticated if the End-User was authenticated longer ago than the specified number of seconds. The max_age request parameter overrides this default value. If omitted, no default Maximum Authentication Age is specified.
A grant_type of refresh_token is prohibited in this profile.(This was in the GSA profile but, I can't think of a good reason to prohibit it.)
...