[OPENAM-6751] acr_values in AuthZ request is ignored if the user is already logged in Created: 03/Sep/15  Updated: 17/Oct/16  Resolved: 18/Sep/15

Status: Resolved
Project: OpenAM
Component/s: OpenID Connect
Affects Version/s: 12.0.0, 12.0.1
Fix Version/s: 12.0.5, 13.0.0

Type: Bug Priority: Major
Reporter: Leonard Moustacchis Assignee: James Phillpotts
Resolution: Fixed Votes: 0
Labels: CustomerRFE, ame, tesla
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Sprint: Sprint 94 - Team Tesla


The OpenAM OAuth2 authorize endpoint allows parameter acr_values, see: https://backstage.forgerock.com/#!/docs/openam/12.0.0/admin-guide/chap-openid-connect#mobile-connect-table-auth-request-params.
If the user is already connected to OpenAM when accessing to authorize endpoint, OpenAM does not provide for the authentication chain requested.

Workaround: it is possible to force authentication using the parameter « prompt=login »

Source code : http://sources.forgerock.org/browse/openam/tags/12.0.0-1/openam/openam-oauth2/src/main/java/org/forgerock/openam/oauth2/OpenAMResourceOwnerSessionValidator.java

Comment by Cyril Grosjean [ 04/Sep/15 ]

One foreseen solution could be for OpenAM to implement the OIDC optional "claims" parameter in authorization requests. This would then enable applications to request the "acr" claim as essential (rather than as voluntary, which is the case when the acr claim is requested thanks to the "acr_values" request parameter).
More generally, this would thus enable OpenAM to support more business use cases, like step-up authentication in an OIDC scenario for example, in a standard way.

Comment by Leonard Moustacchis [ 07/Sep/15 ]

To emphasise your comment: the use case will be to perform step up authentication when accessing to the endpoint Authorize.
For example, application requires either login/pw authN (level 1), or login/pw + OTP (level 2), or certificate (level 3). A user authenticated level 1 cannot access to a resource at level 2 and should perform a level 2 authentication. Alternatively, a user authenticated at level 3 can access to the endpoint at level 2.

Comment by James Phillpotts [ 18/Sep/15 ]

We were checking the acr values matched, now requiring authentication if we don't find a match for the requested value(s).

Generated at Sat Nov 28 23:30:04 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.