Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-8886

"OpenID Connect default acr claim" is not implemented

    Details

    • Target Version/s:
    • Sprint:
      AM Sustaining Sprint 40, AM Sustaining Sprint 41, AM Sustaining Sprint 42, AM Sustaining Sprint 43, AM Sustaining Sprint 44, AM Sustaining Sprint 45, AM Sustaining Sprint 46, AM Sustaining Sprint 47
    • Story Points:
      3
    • Support Ticket IDs:

      Description

      In the OAuth2 provider service configuration, there is an option for setting the default acr value.

      It seems like this configuration is not read by OpenAM, so this feature is not implemented yet.

      OpenAM code

      The interface is here, the option in there, but no one is reading it.

      In the OAuth2ProviderSettings.java, you have this function

          /**
           * The default Authentication Context Class Reference (ACR) values to use for authentication if none is specified
           * in the request. This is a space-separated list of values in preference order.
           */
          String getDefaultAcrValues() throws ServerException;
      

      Description issue

      Probably link with the fact this option has not been implemented yet, the current description in the console is not explaining the same than the java doc:

      Console:

      Default value to use as the 'acr' claim in an OpenID Connect ID Token when using the default authentication chain.
      

      JavaDoc

          /**
           * The default Authentication Context Class Reference (ACR) values to use for authentication if none is specified in the request. This is a space-separated list of values in preference order.
           */
      

      One is suggesting to define one value, the second a list of preference.(In my opinion, I also found the javadoc more clear).

      Is it best to put it in the agent profile instead?

      As this is not implemented yet, another question is: Would it make more sense to define this value in the OAuth2 agent profile?

      Why?

      You could have two agents having a different default chain.

      Tips for the implementation

      You have the acr_values but also the "service" and "module" parameters as well. This option should be used if none of them is defined in the request.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                phillcunnington Phill Cunnington
                Reporter:
                quentin.castel Quentin CASTEL [X] (Inactive)
              • Votes:
                1 Vote for this issue
                Watchers:
                10 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: