Understanding Scopes & Scores
On the previous page, we showed how a sample authorization request with a requested scope openid was executed, entering Username and Time-Based One-Time Password sufficed to pass the login page, and the client application received an ID Token.
How did Quasr as the Authorization Server know that a username and Time-Based One-Time Password is sufficient and did not ask the user for an additional factor (also known as Multi-Factor-Authentication)?
This is where the interplay of Authentication Factors, Scores and Scopes come into play. Make sure to read the concept page on this.
In short: the Sample Client requested scope openid, which as a required score of 2 assigned. Scopes are defined and listed in the Tenant Admin UI under menu item "Controls", and you can see the score of each right in the list.
It means that the user needs to accumulate a total score of at least 2 by successfully authenticating with their authentication factors until they reach this score. Each authentication factors adds to the total score. The score for each can be seen in the factors table - in our example, we used the Username (score 0) and the Time-Based One-Time Password (score 3), which adds up to 3 and therefore passed the "gate" of score 2.
The scores of scopes as well as factors can be modified by you, but it is set to considered best-practices by default. The default settings are as follows:
Default Factors
Username
secret:id
0
Password
secret:password
2
Authenticator App
totp
3
One-Time Password
otp
3
Quasr
oauth2:quasr
5
Apple
oauth2:apple
5
oauth2:facebook
5
GitHub
oauth2:github
5
oauth2:google
5
oauth2:linkedin
5
Slack
oauth2:slack
5
Secret
secret:password
5
Default Controls
Account Access
scope
2
Admin Access
scope
5
OpenID Connect 1.0
scope
2
Last updated