• State Verified Answer
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 93 subscribers
  • Views 1858 views
  • Users 0 members are here
Options
Related

Additional Parameter in 'OAuth 2.0/OpenID Connect' Request - Authentication Context Class Reference (acr)

nick buschner
over 2 years ago

Hello community,

We already use 'OAuth 2.0/OpenID Connect' to log in to our OIM-Backend-Tools (Manager, Designer, ....).

Now we want to make Strong Authentication mandatory (Yubikeky+PIN) and prevent login with username+password.

For this we have to extend the OpenID request with the parameter acr_values.

The request string required by the provider: 

<AMBaseURL>/oauth2/<realmPath>/authorize?client_id=<client-id>&state=<app-state>&scope=openid%20profile&redirect_uri=<redirect-uri>&response_type=code&nonce=<nonce>&acr_values=<acr-value>

Let's split the request string:

OI Setting

Parameter in request

Login Endpoint (screenshot)

<AMBaseURL>/oauth2/<realmPath>/authorize

Client ID (screenshot)

client_id=<client-id>

Value okay: set dynamically

state=<app-state>

Scope (screenshot)

scope=openid%20profile

Redirect URI (screenshot)

redirect_uri=<redirect-uri>

Value okay

response_type=code

Value okay: set dynamically

nonce=<nonce>

 missing value

acr_values=<acr-value>


Question:

We can successfully send all the requested values with the string, but not the acr_values. Where can I enter this additional value in the OI settings?

Parents
  • 0 over 1 year ago

    Hi all,

    we are currently running in this issue again. We use OI Manger 9.0 LTS at the moment. Is acr_value supported with this version?

    thanks for your support

    Nick

  • +1 over 1 year ago in reply to nick buschner

    9.0 LTS supports acr values in general. In Designer you will find the property "Request authentication context" at the identity provider and the identity client master data. ("Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference.")

    Can you please indicate which application (API server, AppServer, etc.) encountered the missing ACR values during authentication?

Reply
  • +1 over 1 year ago in reply to nick buschner

    9.0 LTS supports acr values in general. In Designer you will find the property "Request authentication context" at the identity provider and the identity client master data. ("Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference.")

    Can you please indicate which application (API server, AppServer, etc.) encountered the missing ACR values during authentication?

Children