You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
OIDC authentication request has a request parameter called acr_values, which can specify authentication process. And if the user's authentication has satisfied the request, the authorization server returns the result in the acr claim of the ID token.
In OpenAM implementation, acr_values is mapped in an authentication chain. If the user has passed the specified authentication chain, OpenAM set the mapped value to the acr claim.
However, if a user authenticates in multiple chains by session upgrade, it will not return the expected acr even if a chain meets the acr_values request.
Steps to reproduce
Create two authentication chains(chainA/chainB)
Set up OpenAM as OpenID Connect Provider
Configure acr mapping to OP
acrA=chainA
acrB=chainB
Create settings for Relying Party
Authenticate in both authentication chains(session upgrade)
/openam/UI/Login?service=chainA
/openam/UI/Login?service=chainB
Try the oauth2 authorize code grant flow with acr_values parameter
Description
OIDC authentication request has a request parameter called acr_values, which can specify authentication process. And if the user's authentication has satisfied the request, the authorization server returns the result in the acr claim of the ID token.
In OpenAM implementation, acr_values is mapped in an authentication chain. If the user has passed the specified authentication chain, OpenAM set the mapped value to the acr claim.
However, if a user authenticates in multiple chains by session upgrade, it will not return the expected acr even if a chain meets the acr_values request.
Steps to reproduce
Expected Results
acr claim will be acrA or acrB.
Actual Results
References
[OPENAM-9859] ACR_Values not working if the user is login in more than one chain
The text was updated successfully, but these errors were encountered: