[OPENAM-5708] Need support for acr_values in authz request and acr in id_token Created: 24/Mar/15  Updated: 20/Nov/16  Resolved: 30/Mar/15

Status: Resolved
Project: OpenAM
Component/s: OpenID Connect
Affects Version/s: 13.0.0
Fix Version/s: 12.0.5, 13.0.0

Type: Bug Priority: Critical
Reporter: Garyl Erickson Assignee: David Luna
Resolution: Fixed Votes: 0
Labels: AME, testfail
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

13.0.0 trunk

Support Ticket IDs:
QA Assignee: Garyl Erickson


This is needed for the Basic conformance profile for the OpenID Connect Certification tests, specifically test "Providing acr_values [Basic, Implicit, Hybrid] (OP-Req-acr_values)".

acr_values is defined in Core § Authentication Request and acr is defined in Core §2. ID Token

We probably also need to support acr_values_supported, defined in Discovery §3. OpenID Provider Metadata, and possibly default_acr_values, defined in Dynamic Client Registration §2. Client Metadata.

Comment by David Luna [ 25/Mar/15 ]


Comment by Garyl Erickson [ 25/Mar/15 ]

With the patch of 25 Mar 15, I get acr back in the id_token, but only if a login was required. If I repeat the OIDC Certification test while still logged in, acr is not returned. I think it should be.

Comment by Garyl Erickson [ 25/Mar/15 ]

With the same patch, with [2]=ldapService in the "OpenID Connect acr_values to Auth Chain Mapping" in the OAuth2 Provider service and "OpenID Connect default acr claim" set to 1 (and no changes to the default authentication setup), id_token returns claim "acr":"2" and .well-known/openid-configuration returns "acr_values_supported":["2"]. Shouldn't acr_values_supported also include "1"?

When does the "OpenID Connect default acr claim" come into play? Isn't the ldapService also the default authentication chain that is supposed to use it? If I have no values for "OpenID Connect acr_values to Auth Chain Mapping" and "OpenID Connect default acr claim" set to 1, .well-known/openid-configuration does not return acr_values_supported and the test does not get acr in id_token.

Comment by David Luna [ 26/Mar/15 ]

Working on a solution to the issue whereby if you're already logged in and request auth with a set of acr_values, we grant you the acr corresponding to your currently logged-in state. Should be here shortly.

Comment by David Luna [ 30/Mar/15 ]

svn 13221 & 13222

Generated at Wed Nov 25 08:43:13 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.