Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
authentication
Describe the bug
In 5.5.1. Individual Claims Requests of OpenID Connect Core 1.0 Specification the following claim vqlues members are defined:
- essential
- value
- values
Keycloak takes into account only values when client request acr claim with claims request parameter.
Fe if request parameter claims with value '%7B%22id_token%22%3A%7B%22acr%22%3A%7B%22essential%22%3Atrue%2C%22value%22%3A%22https%3A%2F%2Frefeds.org%2Fprofile%2Fmfa%22%7D%7D%7D' is requested.
Value is the encoded value of the claim :
{ "id_token": { "acr": { "essential": true, "value": "https://refeds.org/profile/mfa" } } }
No definition exists in specification if claims request parameter consinst both value and values. We propose to keep current Keycloak behaviour, taking into account only values if both exists.
Version
26.2.0
Regression
- The issue is a regression
Expected behavior
Required acr "https://refeds.org/profile/mfa" must be requested
Actual behavior
No acr is requested
How to Reproduce?
If request parameter claims with value '%7B%22id_token%22%3A%7B%22acr%22%3A%7B%22essential%22%3Atrue%2C%22value%22%3A%22https%3A%2F%2Frefeds.org%2Fprofile%2Fmfa%22%7D%7D%7D' is requested, Keycloak will not due any acr step up authentication.
Value is the encoded value of the claim :
{ "id_token": { "acr": { "essential": true, "value": "https://refeds.org/profile/mfa" } } }
OAuth tools can be used to reproduce the issue.
Anything else?
No response