A user can be login in more than one chain. Therefore, the oauth2 implementation should check that the acr_values are matching at least one of the user chains.
Problem is, the current implementation doesn't consider chain history of a user as a list but as a single value, like if the user could only be login in only one chain:
serviceUsed can be a list, in the format "/:chainB|chainA"
- Create a chainA with a datastore in it
- Create a chainB with a datastore in it
- Create an openid env for the authorize code flow
- Create an openid provider
- define the acr mapping in this service configuration
- chainA == chainA
- chainB == chainB
- create an openid agent and configure it properly (I would personally use https://github.com/ForgeRock/openid)
- login with the demo user in both chain.
- Try the oauth2 authorize code grant flow : http://openam.example.com:13084/openam/oauth2/authorize?acr_values=chainA%20chainB&response_type=code&client_id=myClientID&realm=%2F&scope=openid%20profile&redirect_uri=http%3A%2F%2Fopenam.example.com%3A13084%2Fopenid%2Fcb-basic.html&state=af0ifjsldkj
- continue the flow until you get an id token
You will get the following
As you can see, the acr value is 0. it means that no chain login by the user matches the acr_values.
The acr value returned should be either "chainA" or "chainB". The decision between the two should probably be most recent chain used.
Should be parsed as the value could be "chainC", if the user is only log in one chain for the moment, or "/:chainB|chainA". AMAuthUtils should help you to achieve this.