Understanding scopes and scores in the Quasr Tenant Admin UI.
On the previous page, we showed how a sample authorization request with a requested scope openid was executed, entering Username and Time-Based One-Time Password sufficed to pass the login page, and the client application received an ID Token.
How did Quasr as the Authorization Server know that a username and Time-Based One-Time Password is sufficient and did not ask the user for an additional factor (also known as Multi-Factor-Authentication)?
In short: the Sample Client requested scopeopenid, which as a required score of 2 assigned. Scopes are defined and listed in the Tenant Admin UI under menu item "Controls", and you can see the score of each right in the list.
Controls in the Quasr Tenant Admin UI (OpenID Connect 1.0 scope has a default score of 2)
It means that the user needs to accumulate a total score of at least 2 by successfully authenticating with their authentication factors until they reach this score. Each authentication factors adds to the total score. The score for each can be seen in the factors table - in our example, we used the Username (score 0) and the Time-Based One-Time Password (score 3), which adds up to 3 and therefore passed the "gate" of score 2.
Factors in the Quasr Tenant Admin UI (username factor has a default score of 0 and authenticator app 3 so both is 3)
The scores of scopes as well as factors can be modified by you, but it is set to considered best-practices by default. The default settings are as follows:
