<div dir="ltr">thanks justin.<div><br></div><div>the cleaner option seems like the way to go. that was the way i was trying to approach the problem.<div><br></div><div>as far as the first option, just to be clear, since the /token request originates from the relying party and the not the end user's browser, the two can't share any HTTP session info.. so you're suggesting using spring's security context object instead ? i'm very new to java and spring, so please bear with me :)</div></div><div><br></div><div>;n</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 10, 2015 at 7:48 PM, Justin Richer <span dir="ltr"><<a href="mailto:jricher@mit.edu" target="_blank">jricher@mit.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Naveen,<br>
<br>
Your best bet is probably going to be to put something into the
user's session to indicate how they came in, then reach into that
object when you're building the ID Token in your own version of the
OIDCTokenService. You can access Spring Security's current security
context object statically, so this shouldn't be hard to pull off. <br>
<br>
Alternatively (and probably more cleanly), you can save it into the
Authentication object itself, probably in the extensions Map that's
in there. We use that map for things like prompt conditions,
authentication time, and other components. Take a look at how the
AuthenticationTimeStamper class works as an example of this, which
sets the auth_age parameter in the ID Token.<br>
<br>
-- Justin<div><div class="h5"><br>
<br>
<div>On 3/10/2015 8:02 AM, Naveen Jamal
wrote:<br>
</div>
</div></div><blockquote type="cite"><div><div class="h5">
<div dir="ltr">hi all,
<div><br>
</div>
<div> i'm trying to extend the openid connect server to support
returning an acr value in the id_token based on how the user
authenticated (username/password, OTP, soft token, hard token,
...) . </div>
<div><br>
</div>
<div> i've been able to display a custom login form that
accepts the necessary extra text fields (along with username
and password) based on the acr_values passed to the authorize
endpoint, and can also validate the extra user input to decide
which acr was achieved.</div>
<div><br>
</div>
<div> i'm having trouble figuring out how to get the acr (as
inferred by the login submission) returned via token endpoint.
i see that i'll have to add acr to the idClaims object
in DefaultOIDCTokenService.java to get it to be returned
as part of the id_token, but can't figure out how to make the
acr value inferred at login form submission to be accessible
at the DefaultOIDCTokenService. Seems like it needs to be part
of the stored in the authentication longblob field in the
authorization_code table?</div>
<div><br>
</div>
<div> any suggestion on how i should go about this?</div>
<div><br>
</div>
<div> thanks in advance,</div>
<div><br>
</div>
<div>-naveen</div>
<div><br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div></div><pre>_______________________________________________
mitreid-connect mailing list
<a href="mailto:mitreid-connect@mit.edu" target="_blank">mitreid-connect@mit.edu</a>
<a href="http://mailman.mit.edu/mailman/listinfo/mitreid-connect" target="_blank">http://mailman.mit.edu/mailman/listinfo/mitreid-connect</a>
</pre>
</blockquote>
<br>
</div>
</blockquote></div><br></div>