Uploaded image for project: 'OpenId Connect'
  1. OpenId Connect
  2. OIDC-168

Validate ACR in returned id token if specified in claim

    XMLWordPrintable

Details

    • New Feature
    • Resolution: Fixed
    • Minor
    • 2.6.0
    • 2.5.1
    • Authenticator
    • None
    • Unit
    • Unknown

    Description

      If an ACR value is specified in the claims sent to the IdP it should be validated that the same value is returned in the id token in the OIDC callback. This is a security measure required for step-up authentication since the claims can be manually edited in the requested URL.

      Attachments

        Issue Links

          is related to

          New Feature - A new feature of the product, which has yet to be developed. OIDC-170 Add support for ACR in the provider

          • Major - Major loss of function.
          • Open

          Activity

            People

              Vertganti Björn Meusburger
              Vertganti Björn Meusburger
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: