Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make sure validated id_token acr claim equals specified oxTrust authn method #513

Closed
nynymike opened this issue Mar 31, 2017 · 6 comments
Closed

Make sure validated id_token acr claim equals specified oxTrust authn method #513

nynymike opened this issue Mar 31, 2017 · 6 comments
Assignees
@shekhar16
Labels
bug
Milestone
CE 3.0.2

Comments

@nynymike
Copy link
Contributor

nynymike commented Mar 31, 2017
edited
Loading

How to authenticate is controlled via the browser (i.e. a GET request to the authorize endpoint). So nothing stops a user from using a different type of authentication just by changing the value of the authorization endpoint URL. However, once authenticated, the validated id_token can be trusted. Therefore, when oxTrust creates an application session, if an authn method is specified for oxTrust (see screenshot below), the id_token acr claim should match.

image

Ideally, if the authn method was not matching, oxTrust would redirect back to oxAuth with authorization request params prompt=login and 'acr_values=(specified)`
@nynymike nynymike added the bug label Mar 31, 2017
@nynymike nynymike added this to the CE 3.0.2 milestone Mar 31, 2017
@yurem
Copy link
Contributor

yurem commented Apr 3, 2017

oxTrust validates authentication method which oxAuth used for authentication already:
https://github.com/GluuFederation/oxTrust/blob/master/server/src/main/java/org/gluu/oxtrust/action/Authenticator.java#L485

@shekhar16 can you try to change in authorization request acr_values parameter?

@shekhar16
Copy link
Contributor

yes i agree ,but as per Mike we had to redirect to oxauth/login with params like nonce + acr values

@yurem
Copy link
Contributor

yurem commented Apr 4, 2017

I think we should not add property to explicitly specify https://{host}/oxauth/login

Right now oxTrust has property 'oxAuthIssuer'. At user login it request metadata from specified server. And uses 'authorization_endpoint' in order to send request.

There is only one missing part. oxTrust should verify if specified issuer really issued id_token for oxTrust. It can check ISSUER claim of id_token

@nynymike
Copy link
Contributor Author

nynymike commented Apr 4, 2017
edited
Loading

Yes, it should verify both the issuer and the acr in the id_token.

shekhar16 pushed a commit that referenced this issue Apr 7, 2017
oxTrust issue #513
1444dc1
@shekhar16
Copy link
Contributor

Fixed.

@nynymike nynymike closed this as completed Apr 8, 2017
@nynymike nynymike reopened this Apr 8, 2017
@nynymike
Copy link
Contributor Author

nynymike commented Apr 8, 2017

This fix needs to be applied to 3.0.2

yurem pushed a commit that referenced this issue Apr 24, 2017
@yurem
oxTrust issue #513
6fd8b3e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shekhar16 shekhar16

Labels
bug
Projects
None yet
Milestone
CE 3.0.2
Development

No branches or pull requests
4 participants
@nynymike @willow9886 @yurem @shekhar16