Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add functionality for configuring acr_values #122

Closed
Glowsome opened this issue Jul 7, 2022 · 4 comments
Closed

Add functionality for configuring acr_values #122

Glowsome opened this issue Jul 7, 2022 · 4 comments

Comments

@Glowsome
Copy link

Glowsome commented Jul 7, 2022

The current implementation does not provide a means to send an authentication context.

This is described in OpenID Connect Core 1.0 incorporating errata set 1

The optional value is described in section 3.1.2.1. Authentication Request.

acr_values
OPTIONAL. Requested Authentication Context Class Reference values. Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value, as specified in Section 2. The acr Claim is requested as a Voluntary Claim by this parameter.

When an authentication context is not sent with the request it is up to the IDP to determine the contract to execute, and default this will be a Username/Password type.
By adding the acr_values parameter one can explicitly select a different contract to authenticate with, for example Username/Password/2FA.

  • Glowsome
@MarcelCoding
Copy link
Owner

MarcelCoding commented Jul 8, 2022

Hi, first of all thanks for your interest on this project. Just to clerify that I understood the feature correct: you can configure that the user has to always login using his password neitherless if there are already authenticated or not.

You just want an environment variable to configure that.
In the response, it should be validated that the required authentication methods were used.

@Glowsome
Copy link
Author

Glowsome commented Jul 8, 2022

The arc_values dictates/entforces the authentication contract when a user logs in.

In the response, it should be validated that the required authentication methods were used.

Ofcourse, that is also described in the standard.

@MarcelCoding
Copy link
Owner

Hi, I just finished it. I've tested it using keycloak. But I noticed in the past that this isn't a general test. Would it be possible to test it yourself? You can use the edge tag for the docker image, or download the binary directly from GitHub Actions. I've added a new environment variable ACR_VALUES where you can pass a space-separated list of allowed authentication classes. I hope it is as you expedited. If anything is missing or difficult to use/understand just come back to me, I will try my best to help you.

@MarcelCoding
Copy link
Owner

I am going to create a release if everything works as expected and an issue in an underlying dependency is fixed. (This may be able to be delayed for a later release.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants