acr_values not working if the user is login in more than one chain

[tsujiguchitky]

Description

OIDC authentication request has a request parameter called acr_values, which can specify authentication process. And if the user's authentication has satisfied the request, the authorization server returns the result in the acr claim of the ID token.

In OpenAM implementation, acr_values is mapped in an authentication chain. If the user has passed the specified authentication chain, OpenAM set the mapped value to the acr claim.

However, if a user authenticates in multiple chains by session upgrade, it will not return the expected acr even if a chain meets the acr_values request.

Steps to reproduce

1. Create two authentication chains(chainA/chainB)
2. Set up OpenAM as OpenID Connect Provider
3. Configure acr mapping to OP
   • acrA=chainA
   • acrB=chainB
4. Create settings for Relying Party
5. Authenticate in both authentication chains(session upgrade)
   • /openam/UI/Login?service=chainA
   • /openam/UI/Login?service=chainB
6. Try the oauth2 authorize code grant flow with acr_values parameter
   • /openam/oauth2/authorize?acr_values=acrA%20acrB&....
7. After obtaining the ID token, check the claims in ID token

Expected Results

acr claim will be acrA or acrB.

{
  "at_hash": "...",
  "sub": "...",
  "auditTrackingId": "...",
  "iss": "...",
  "tokenName": "...",
  "aud": "...",
  "c_hash": "...",
  "acr": "acrA",
  "org.forgerock.openidconnect.ops": "...",
  "azp": "...",
  "auth_time": ...,
  "realm": "...",
  "exp": ...,
  "tokenType": "...",
  "iat": ...
}

Actual Results

{
  "at_hash": "...",
  "sub": "...",
  "auditTrackingId": "...",
  "iss": "...",
  "tokenName": "...",
  "aud": "...",
  "c_hash": "...",
  "acr": "0",
  "org.forgerock.openidconnect.ops": "...",
  "azp": "...",
  "auth_time": ...,
  "realm": "...",
  "exp": ...,
  "tokenType": "...",
  "iat": ...
}

References

[OPENAM-9859] ACR_Values not working if the user is login in more than one chain