Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-17773

The acr_values parameter is mandatory on CIBA bc-authorize endpoint

    XMLWordPrintable

Details

    • Rank:
      1|i04g5y:

    Description

      Bug description

      In the context of validating the conformance of the AM platfom for the CIBA authentication flow, we have identified a blocking issue with the acr_values parameter.

      The acr_values parameter is expected to be mandatory in the CIBA bc_authorize signed request. In the openid spec this parameter is marked as optional.

      How to reproduce the issue

      1. Configure an Oauth 2.0 provider and client for the Back Channel Request grant type
      2. Create a request object containing all the mandatory CIBA claims (acr_values not included)
      3. Sign the request object
      4. Call the backchannel authentication endpoint
      Expected behaviour
      Response code 200 Success with valid auth_rec_id
      
      Current behaviour
      Response code 400 Bad Request
      {
         "error_description":"acr_values invalid or missing",
         "error":"invalid_request"
      }
      

      Work around

      Include acr_values claim in the signed request.

      Code analysis

      org.forgerock.oauth2.restlet.BackChannelResource.java
      Method: validateAcr seems to expect mandatory acr_values
      

      Attachments

        Activity

          People

            apforrest Andrew Forrest
            marian.tiris Marian Tiris
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: