Make sure validated id_token acr claim equals specified oxTrust authn method

[nynymike]

How to authenticate is controlled via the browser (i.e. a GET request to the authorize endpoint). So nothing stops a user from using a different type of authentication just by changing the value of the authorization endpoint URL. However, once authenticated, the validated id_token can be trusted. Therefore, when oxTrust creates an application session, if an authn method is specified for oxTrust (see screenshot below), the id_token acr claim should match.

Ideally, if the authn method was not matching, oxTrust would redirect back to oxAuth with authorization request params prompt=login and 'acr_values=(specified)`

[yurem]

oxTrust validates authentication method which oxAuth used for authentication already:
https://github.com/GluuFederation/oxTrust/blob/master/server/src/main/java/org/gluu/oxtrust/action/Authenticator.java#L485

@shekhar16 can you try to change in authorization request acr_values parameter?

[shekhar16]

yes i agree ,but as per Mike we had to redirect to oxauth/login with params like nonce + acr values

[yurem]

I think we should not add property to explicitly specify https://{host}/oxauth/login

Right now oxTrust has property 'oxAuthIssuer'. At user login it request metadata from specified server. And uses 'authorization_endpoint' in order to send request.

There is only one missing part. oxTrust should verify if specified issuer really issued id_token for oxTrust. It can check ISSUER claim of id_token

[nynymike]

Yes, it should verify both the issuer and the acr in the id_token.

[shekhar16]

Fixed.

[nynymike]

This fix needs to be applied to 3.0.2