Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10989

Add step up capability with OIDC by adding support for id_token_hint

    Details

      Description

      As a customer I want to implement step up authentication in a standards compliant way, using OIDC. This will allow rapid deployment of step authN using pre-rolled OIDC clients and enable better integration with third party products.

      This currently can not be achieved using the existing support for acr_values as there is no means for an OIDC client to return the ID token to OpenAM.

      Ideally this could work by providing the current ID token of the user in combination with acr classes defined in acr_values. The entry in acr_values would map to a chain. If the user denoted by their ID token has already authenticated to a particular authN level, the modules that match that authN level in the chain would be skipped, requiring the user to authN only with the remaining modules in the chain with a higher authN level (typical OpenAM step-up).

      The OIDC spec has an optional authentication request parameter Id_token_hint in section 3.1.2.1 which provides a standards compliant way for the client to submit an ID token.

      Id_token_hint

      OPTIONAL. ID Token previously issued by the Authorization Server being passed as a hint about the End-User's current or past authenticated session with the Client. If the End-User identified by the ID Token is logged in or is logged in by the request, then the Authorization Server returns a positive response; otherwise, it SHOULD return an error, such as login_required. When possible, an id_token_hint SHOULD be present when prompt=none is used and an invalid_request error MAY be returned if it is not; however, the server SHOULD respond successfully when possible, even if it is not present. The Authorization Server need not be listed as an audience of the ID Token when it is used as an id_token_hint value.

      If the ID Token received by the RP from the OP is encrypted, to use it as an id_token_hint, the Client MUST decrypt the signed ID Token contained within the encrypted ID Token. The Client MAY re-encrypt the signed ID token to the Authentication Server using a key that enables the server to decrypt the ID Token, and use the re-encrypted ID token as the id_token_hint value.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                simon.harding Simon Harding
              • Votes:
                1 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated: