Idea ID: 2871065

Ability the specify auth contract for OIDC & OAuth flows

Status : Delivered
1 month ago

Currently with other authentication protocols (SAML, etc) we can specify the auth contract to be used on a per client basis.

While we can specify this info as part of the acr_values parameter in the request/redirect URL, not all applications allow additional parameters to be added to the URL/sent from the application.

The ability to select the auth contract to be used on the NAM side would provide greater flexibility for onboarding of OIDC/OAuth apps.

Example usage would be to prefer Kerberos as the auth contract and fall back on form based.


  • I think this is delivered as part of NAM 5.0 SP1.

    Please see

    • Click Authentication Contract to configure authentication contracts for the client application. This configuration is available in Access Manager 5.0 Service Pack 1 and later.

      When you configure authentication contracts for a client application using here, this server-side configuration takes precedence. After this configuration, the ACR value in the request is ignored, and contracts are used for authentication.

      In Available Contract, select contracts that you want to be used for authentication and move these to Satisfy Contract. By default, the first contract in the list is used. For the Resource Owner Credentials flow, if the identity provider does not support that contract, then the next contract in the list is used for authentication.