[OPENAM-9074] wrong acr_values mapping makes the authorization flow looping Created: 10/Jun/16 Updated: 24/Oct/17 Resolved: 22/Jun/16
|Fix Version/s:||12.0.5, 13.5.0|
|Reporter:||Quentin CASTEL [X] (Inactive)||Assignee:||Dipu Seminlal|
|Labels:||13.5.0-Should-Fix, AME, TESLA|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
|Support Ticket IDs:|
Then try the authorization grant flow 'acr_values=wrong_chain'
A error message telling you that this acr_values doesn't map the arm_mapping
We currently check if the acr_values is valid with the token authentication contexte. It doesn't so we redirect the user to the login page. => OK
We build the URL like this
This is where is is interesting:
If the ACRValue match with none of the loaMapping, we ignore the acr_value.
Solution 1 : we considere that every acr_values should correspond to a chain thanks to the loaMapping
That the solution I prefere, as in my opinion, I considere the request invalid if one of the acr_values isn't mapping a chain.
Therefore, we should clean the list of acr_values first before doing
|Comment by Jonathan Scudder [ 14/Jun/16 ]|
Bug triage: please consult with Phill/JamesP and others regarding the preferred fix
|Comment by James Phillpotts [ 17/Jun/16 ]|
Looking at the OIDC spec, the following sections are relevant:
It seems to me that the appropriate action is instead of requiring authentication when there is no matching acr for the requested ones, that we instead set the acr claim to 0, as per the second reference above.
|Comment by Ľubomír Mlích [ 23/Oct/17 ]|
I'm trying to verify this issue in OpenAM 13.0.0-SECURITY-SNAPSHOT Build 7cb4977b53 (2017-October-12 16:24)
I see standard 13.0 show login screen again as described it would and in debug, there is No ACR value matched. Security patched OpenAM version let me login, but there is no error on screen. In debug I see another No ACR value matched. Is it ok? Thanks.
|Comment by Ľubomír Mlích [ 24/Oct/17 ]|
Verified in OpenAM 13.0.0-SECURITY-SNAPSHOT Build 7cb4977b53 (2017-October-12 16:24)