Support for ACR values

Open Vertganti opened this issue 2 years ago • 0 comments

We want to support some clients that only require a single factor for authentication and some clients that require two factors (and some that allow step-up for specific requests - but those are not relevant here). Nextcloud is one of the clients requiring two factors. Currently we have split the clients into two realms with different authentication flows. If a user uses two clients from different realms they have to perform authentication twice. We would like to have all clients in one realm for proper SSO. For this we need support for handling acr claims as this would allow different levels of authentication within one realm. Is there any plan to support handling of ACR values?

The ACR handling would require three additions. I'm not very good at PHP and I don't know the codebase well, but I have tried to identify the parts of the code that would need changes.

Add a setting which allows a user to specify if ACR should be handled and what ACR value should be used. I did not look this up in the code as i guess it would be a trivial part.
When sending a login request the acr claim has to be added to the request. I think this would be done here. The official Keycloak documentation gives an example for the claim (in the Request a certain authentication level paragraph of the linked section).
```
claims= {
    "id_token": {
        "acr": {
            "essential": true,
            "values": ["ACR_VALUE_GOES_HERE"]
        }
    }
}
```
When receiving the response from the IdP the value of the acr claim in the ID token returned by the IdP has to be compared with the requested value. Otherwise users could avoid having to go through extra steps by changing the login URL. This is mentioned in the Keycloak documentation (in the warning block of the linked section). I am not entirely sure where the IdP response is handled in the code, but i think the check would need to be added here.

Oct 25 '23 13:10 Vertganti