...
Here's another perspective that can maybe help to get us on the same page: You can think of my suggestion of "constraint expressions" as a way to dynamically define a new AuthenticationHandler (along with the corresponding Credentials and UserInteraction), composed of other pre-existing handlers, without needing to write code. Then, each AuthenticationHandler (whether Java-based or expression-based) is given a name and a number. And, again, I'm not tied to the concept of an expression... I'm more tied to the concept of deployers being able to easily compose existing authentication methods together without writing code (and with automatically also composing all necessary related components like credentials and user interactions).
Jérôme :
I'm not tied to my basic solution either. Above all, I want to stick to the most simple solution. I admit that expressions allow composition, which is better than re-coding authentication handlers, credentials...
I have one question though : how do you evaluate the "initial" attribute ? Isn't it an information you only get after authenticating the user in the authentication handler ?
B) Level of assurance (new)
...