Open
Description
Description
When a acr_values is specified by a client in the auth request, Keycloak will forward the acr_values parameter to any configured OpenIdConnect identity providers by default.
As different identity providers may use different, and potentially incompatible, values for acr_values, forwarding this parameter should be disabled by default - or at least possible to disable.
Discussion
No response
Motivation
For example the Norwegian electronic ID (BankID) uses their own custom acr values, so if Keycloak forwards the acr_values from Keycloak, for example 4, the auth request will trigger a warning and potentially fail.
Forwarding acr_values also makes it impossible to specify a specific acr_values parameter for the identity provider.
Details
To reproduce the current behaviour:
- Configure an OpenID Connect identity provider in a realm
- Create a /auth url with
acr_values=2as a query parameter and select the configured identity provider - Notice that the
acr_valuesparameter is forwarded to the identity provider