Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-18045

AuthN step-up not working when using OIDC amr mappings

    XMLWordPrintable

    Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Duplicate
    • 6.5.2.2
    • None
    • AM 6.5.2.2 | 2 chains + 1 module in each
    • Rank:
      1|i01bm7:
    • AM Sustaining Sprint 87, AM Sustaining Sprint 88
    • 3

      Description

      Bug description

      When performing a step-up authentication from one chain to another, the mapped AMR claim returns the value from previous chain's authN level. 

      How to reproduce the issue

      1. Create an auth module 'password'
      2. Create an auth module 'otp'
      3. Create an auth chain 'chain1'. Add 'password' module to this chain1.
      4. Create an auth chain 'chain2'. Add 'otp' module to this chain2.
      5. Create an Oauth2 OIDC Provider service
      6. Go to the provider Advanced OIDC Connect tab
      7. Create OpenID Connect acr_values to Auth Chain Mapping with below keys & values
      8. Key -> password, Value -> chain1
      9. Key -> otp, Value -> chain2
      10. Create OpenID Connect id_token amr Values to Auth Module Mappings with below keys & values
      11. Key -> password, Value -> password
      12. Key -> otp, Value -> otp
      13. Create an Oauth2 client with below settings.
      14. Client id -> myClient, client_secret -> password, scope -> openid profile, Token Endpoint Authentication -> client_secret_post
      15. Get the Authorization code. Pass the acr_values also in the URL.

      Example: http://openam.example.com:8080/openam/oauth2/realms/root/authorize?client_id=myClient&response_type=code&scope=openid%20profile&state=abc1234&nonce=1234abc&redirect_uri=https://www.forgerock.com&acr_values=password&prompt=login

      Reference : https://backstage.forgerock.com/docs/am/7.1/oidc1-guide/openid-connect-authorization-code-flow.html#proc-auth-code-browser-oidc

      16. On the same browser window get the Authorization code with &acr_values=otp&prompt=login as a session upgrade.

      Example: http://openam.example.com:8080/openam/oauth2/realms/root/authorize?client_id=myClient&response_type=code&scope=openid%20profile&state=abc321&nonce=321abc&redirect_uri=https://www.forgerock.com&acr_values=otp&prompt=login

      17. Exchange the authz code for an id_token.

      Reference : https://backstage.forgerock.com/docs/am/7.1/oidc1-guide/openid-connect-authorization-code-flow.html#proc-auth-code-browser-oidc

       

      Example:
      curl --request POST \
      --data "grant_type=authorization_code" \
      --data "code= <code>" \
      --data "client_id=myClient" \
      --data "client_secret=password" \
      --data "redirect_uri=https://www.forgerock.com" \
      "http://openam.example.com:8080/openam/oauth2/realms/root/access_token" | jq .
      

       

      18. Inspect the id_token and make sure the amr has the updated value, in this case amr should be `otp`. However it showed amr as `password`

       

      Example:
      curl \
      --request POST \
      --data "client_id=myClient" \
      --data "client_secret=password" \
      --data "id_token=eyJ0eXAiOiJKV1QiLCJraWQiOiJ3VTNpZklJYUxPVUFSZVJCL0ZHNmVNMVAxUU09IiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiRTRVZFZLRUxhbHdLYkVZY0RZUGdndyIsInN1YiI6ImRlbW8iLCJhdWRpdFRyYWNraW5nSWQiOiJlZDE2YzcxMS05ODY2LTQ3N2EtYWQ1Yy1lOTU5NWVmOTU0OGMtMjEyMyIsImFtciI6WyJwYXNzd29yZCJdLCJpc3MiOiJodHRwOi8va2FtYWwtc2l2YW5hbmRhbS1hbS10YXR5a29mOjgwODAvb3BlbmFtL29hdXRoMiIsInRva2VuTmFtZSI6ImlkX3Rva2VuIiwibm9uY2UiOiIxMjM0YWJjIiwiYXVkIjoibXlDbGllbnQiLCJjX2hhc2giOiJTNWE2Wk9IU3hvNExka25xTTE2azdnIiwiYWNyIjoicGFzc3dvcmQiLCJvcmcuZm9yZ2Vyb2NrLm9wZW5pZGNvbm5lY3Qub3BzIjoia2ZNbk1uaVdzSHNieFo1LUdKS3F5cTZjblFJIiwic19oYXNoIjoiTnZXRDNSYjA0ZUlCNng1dmJZNDFvZyIsImF6cCI6Im15Q2xpZW50IiwiYXV0aF90aW1lIjoxNjI3MDcyMjczLCJyZWFsbSI6Ii8iLCJleHAiOjE2MjcwNzU5MjgsInRva2VuVHlwZSI6IkpXVFRva2VuIiwiaWF0IjoxNjI3MDcyMzI4fQ.ocjpxJqwGYTFJv6bu3qQ9YEW3pRM5v0IK-S0FqHyT7ipyfLZ1TOyVCGuhkdHBzNeVk0AM7CDeyeT9bHDacMu9AfXNGLvTm8EaVIh5DqdyfoqvcVp23w0moTdcRP823ZLtKXiil5fs_JioPrcOMadRAKpSO3bM_6q4E_EuI13qsCsUeejpg7OZZG6bbr8Y5UziqMsAWyWaQc1T8SRQSKvzjj5gB0vUDM5zJGeW9HZh2c6K2FI9aynXdEwqGX1gqjKVg15bPwtt9YoTQ-H-5-YQmjWdX8sIlicMR__xEFa_bpPcj5surYLE7qD3_fYa5aR0MkJn_B2X8DAE9vbZSYZfg" \
      "http://openam.example.com:8080/openam/oauth2/idtokeninfo" | jq .
      

       

      Expected behaviour
      authentication level should be higher and amr claim should reflect that
      Current behaviour
      initial authN level is preserved, amr claim returns the original claim
      

      Work around

      None that I'm aware of

        Attachments

          Issue Links

            Activity

              People

              kamal.sivanandam@forgerock.com Kamal Sivanandam
              alex.belovski Alex Belovski
              Votes:
              4 Vote for this issue
              Watchers:
              10 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: