<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Naveen,<br>
<br>
Your best bet is probably going to be to put something into the
user's session to indicate how they came in, then reach into that
object when you're building the ID Token in your own version of the
OIDCTokenService. You can access Spring Security's current security
context object statically, so this shouldn't be hard to pull off. <br>
<br>
Alternatively (and probably more cleanly), you can save it into the
Authentication object itself, probably in the extensions Map that's
in there. We use that map for things like prompt conditions,
authentication time, and other components. Take a look at how the
AuthenticationTimeStamper class works as an example of this, which
sets the auth_age parameter in the ID Token.<br>
<br>
-- Justin<br>
<br>
<div class="moz-cite-prefix">On 3/10/2015 8:02 AM, Naveen Jamal
wrote:<br>
</div>
<blockquote
cite="mid:CAHMEspHOavOJR+OhKnPJbvSk9FaE_DfowqoLxQwfEi5S6aWXcw@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div dir="ltr">hi all,
<div><br>
</div>
<div> i'm trying to extend the openid connect server to support
returning an acr value in the id_token based on how the user
authenticated (username/password, OTP, soft token, hard token,
...) . </div>
<div><br>
</div>
<div> i've been able to display a custom login form that
accepts the necessary extra text fields (along with username
and password) based on the acr_values passed to the authorize
endpoint, and can also validate the extra user input to decide
which acr was achieved.</div>
<div><br>
</div>
<div> i'm having trouble figuring out how to get the acr (as
inferred by the login submission) returned via token endpoint.
i see that i'll have to add acr to the idClaims object
in DefaultOIDCTokenService.java to get it to be returned
as part of the id_token, but can't figure out how to make the
acr value inferred at login form submission to be accessible
at the DefaultOIDCTokenService. Seems like it needs to be part
of the stored in the authentication longblob field in the
authorization_code table?</div>
<div><br>
</div>
<div> any suggestion on how i should go about this?</div>
<div><br>
</div>
<div> thanks in advance,</div>
<div><br>
</div>
<div>-naveen</div>
<div><br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
mitreid-connect mailing list
<a class="moz-txt-link-abbreviated" href="mailto:mitreid-connect@mit.edu">mitreid-connect@mit.edu</a>
<a class="moz-txt-link-freetext" href="http://mailman.mit.edu/mailman/listinfo/mitreid-connect">http://mailman.mit.edu/mailman/listinfo/mitreid-connect</a>
</pre>
</blockquote>
<br>
</body>
</html>