• State Verified Answer
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 93 subscribers
  • Views 1722 views
  • Users 0 members are here
Options
Related

Additional Parameter in 'OAuth 2.0/OpenID Connect' Request - Authentication Context Class Reference (acr)

nick buschner
over 2 years ago

Hello community,

We already use 'OAuth 2.0/OpenID Connect' to log in to our OIM-Backend-Tools (Manager, Designer, ....).

Now we want to make Strong Authentication mandatory (Yubikeky+PIN) and prevent login with username+password.

For this we have to extend the OpenID request with the parameter acr_values.

The request string required by the provider: 

<AMBaseURL>/oauth2/<realmPath>/authorize?client_id=<client-id>&state=<app-state>&scope=openid%20profile&redirect_uri=<redirect-uri>&response_type=code&nonce=<nonce>&acr_values=<acr-value>

Let's split the request string:

OI Setting

Parameter in request

Login Endpoint (screenshot)

<AMBaseURL>/oauth2/<realmPath>/authorize

Client ID (screenshot)

client_id=<client-id>

Value okay: set dynamically

state=<app-state>

Scope (screenshot)

scope=openid%20profile

Redirect URI (screenshot)

redirect_uri=<redirect-uri>

Value okay

response_type=code

Value okay: set dynamically

nonce=<nonce>

 missing value

acr_values=<acr-value>


Question:

We can successfully send all the requested values with the string, but not the acr_values. Where can I enter this additional value in the OI settings?

Parents Reply Children
  • +1 11 months ago in reply to nick buschner

    9.0 LTS supports acr values in general. In Designer you will find the property "Request authentication context" at the identity provider and the identity client master data. ("Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference.")

    Can you please indicate which application (API server, AppServer, etc.) encountered the missing ACR values during authentication?

  • 0 10 months ago in reply to Markus Weiss-Ehlers

    Hi Markus,

    thanks a lot. It now works as it should. Great.

    I'm not sure what your question is aimed at exactly, but what we wanted to achieve (and now can) is,
    that we can connect e.g. with the Launchpad against a WEN OpenID Connect (OIDC) managed by our clients.

    thanks again

    Nick