[mitreid-connect] support for acr in id_token

Justin Richer jricher at mit.edu
Tue Mar 10 10:18:31 EDT 2015 

Naveen,

Your best bet is probably going to be to put something into the user's 
session to indicate how they came in, then reach into that object when 
you're building the ID Token in your own version of the 
OIDCTokenService. You can access Spring Security's current security 
context object statically, so this shouldn't be hard to pull off.

Alternatively (and probably more cleanly), you can save it into the 
Authentication object itself, probably in the extensions Map that's in 
there. We use that map for things like prompt conditions, authentication 
time, and other components. Take a look at how the 
AuthenticationTimeStamper class works as an example of this, which sets 
the auth_age parameter in the ID Token.

  -- Justin

On 3/10/2015 8:02 AM, Naveen Jamal wrote:
> hi all,
>
>   i'm trying to extend the openid connect server to support returning 
> an acr value in the id_token based on how the user authenticated 
> (username/password, OTP, soft token, hard token, ...) .
>
>   i've been able to display a custom login form that accepts the 
> necessary extra text fields (along with username and password) based 
> on the acr_values passed to the authorize endpoint, and can also 
> validate the extra user input to decide which acr was achieved.
>
>   i'm having trouble figuring out how to get the acr (as inferred by 
> the login submission) returned via token endpoint. i see that i'll 
> have to add acr to the idClaims object in DefaultOIDCTokenService.java 
> to get it to be returned as part of the id_token, but can't figure out 
> how to make the acr value inferred at login form submission to be 
> accessible at the DefaultOIDCTokenService. Seems like it needs to be 
> part of the stored in the authentication longblob field in the 
> authorization_code table?
>
>   any suggestion on how i should go about this?
>
>   thanks in advance,
>
> -naveen
>
>
>
> _______________________________________________
> mitreid-connect mailing list
> mitreid-connect at mit.edu
> http://mailman.mit.edu/mailman/listinfo/mitreid-connect

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20150310/cd5830cd/attachment.htm

More information about the mitreid-connect mailing list