Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-9859

ACR_Values not working if the user is login in more than one chain


    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.5.0
    • Fix Version/s: 13.5.1
    • Component/s: oauth2
    • Labels:
    • Sprint:
      AM Sustaining Sprint 36, AM Sustaining Sprint 37
    • Story Points:
    • Support Ticket IDs:


      A user can be login in more than one chain. Therefore, the oauth2 implementation should check that the acr_values are matching at least one of the user chains.

      Problem is, the current implementation doesn't consider chain history of a user as a list but as a single value, like if the user could only be login in only one chain:


       String serviceUsed = token.getProperty(ISAuthConstants.SERVICE);
              Set<String> acrValues = new HashSet<>(Arrays.asList(acrValuesStr.split("\\s+")));
              OAuth2ProviderSettings settings = providerSettingsFactory.get(request);
              Map<String, AuthenticationMethod> acrMap = settings.getAcrMapping();
              final Request req = request.getRequest();
              boolean matched = false;
              for (String acr : acrValues) {
                  if (acrMap.containsKey(acr)) {
                      if (serviceUsed.equals(acrMap.get(acr).getName())) {
                          req.getAttributes().put(OAuth2Constants.JWTTokenParams.ACR, acr);
                          matched = true;

      serviceUsed can be a list, in the format "/:chainB|chainA"

      How to reproduce


      • Create a chainA with a datastore in it
      • Create a chainB with a datastore in it
      • Create an openid env for the authorize code flow
        • Create an openid provider
        • define the acr mapping in this service configuration
          • chainA == chainA
          • chainB == chainB
      • create an openid agent and configure it properly (I would personally use https://github.com/ForgeRock/openid)

      When ...

      Current output

      You will get the following

        "at_hash": "YxHqccdSM3am2KQrKU5N7w",
        "sub": "demo",
        "auditTrackingId": "fdb55b55-1f10-4cca-98d7-787f9565936b-1844",
        "iss": "http://openam.example.com:13084/openam/oauth2",
        "tokenName": "id_token",
        "aud": "myClientID",
        "c_hash": "aXA50RlD-SpFjtza90tpPw",
        "acr": "0",
        "org.forgerock.openidconnect.ops": "0ab4c1cf-2d34-4089-a218-e9148a6306ae",
        "azp": "myClientID",
        "auth_time": 1476791549,
        "realm": "/",
        "exp": 1476795156,
        "tokenType": "JWTToken",
        "iat": 1476791556

      As you can see, the acr value is 0. it means that no chain login by the user matches the acr_values.

      Expected output

      The acr value returned should be either "chainA" or "chainB". The decision between the two should probably be most recent chain used.

      Technical details

      In ResourceOwnerSessionValidator,

              String serviceUsed = token.getProperty(ISAuthConstants.SERVICE);

      Should be parsed as the value could be "chainC", if the user is only log in one chain for the moment, or "/:chainB|chainA". AMAuthUtils should help you to achieve this.

              parseData(token.getProperty(ISAuthConstants.SERVICE), true);


          Issue Links



              • Assignee:
                quentin.castel Quentin CASTEL [X] (Inactive)
                quentin.castel Quentin CASTEL [X] (Inactive)
              • Votes:
                0 Vote for this issue
                6 Start watching this issue


                • Created: