Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-18048

Anonymous session upgrade does not show correct id_token acr

    XMLWordPrintable

    Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 7.1.0
    • None
    • OpenID Connect
    • Rank:
      1|i0535a:

      Description

      Bug description

      If you upgrade an anonymous session to a user session, and then get an id_token, the acr claim does not reflect the authentication context used when the session was upgraded.

      How to reproduce the issue

      1. Create anonymous tree (Start > Anonymous > Success)
      2. Create anonymousUpgrade treeĀ 
      3. Create OAuth2 Provider service and add OpenID Connect acr_values to Auth Chain Mappings for both trees (anonymous:anonymous and anonymousUpgrade:anonymousUpgrade)
      4. Create OAuth2 Client (nothing special required here)
      5. Authenticate to anonymous tree
      6. Upgrade session by authenticating to anonymousUpgrade using demo user
      7. Call authorize endpoint
      8. Use authorization code to get an id_token
      9. View decoded JWT
      Expected behaviour
      JWT acr claim should show anonymousUpgrade
      Current behaviour
      JWT acr claim shows anonymous

      Work around

      This seems to work fine when upgrading the session for a user that isn't anonymous. Customer also discovered this does work if you name the anonymous acr_value to acr-1 and the anonymousUpgrade tree to acr-2 so acr_value naming convention has an impact on the behaviour.

        Attachments

          Activity

            People

            Unassigned Unassigned
            aaron.haskins Aaron Haskins
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: