Title: Support claims request parameter on oidc validator

Question

Title: Support claims request parameter on oidc validator

kokukuma opened this issue 3 years ago · 1 comments

Preflight checklist

I could not find a solution in the existing issues, docs, nor discussions.
I agree to follow this project's Code of Conduct.
I have read and am following this repository's Contribution Guidelines.
This issue affects my Ory Cloud project.
I have joined the Ory Community Slack.
I am signed up to the Ory Security Patch Newsletter.

Describe your problem

I want to restrict end-user’s authentication on authentication request to AuthZ Server. For example, the AuthZ Server provides multi authentication methods and a RP wants end-user to authenticate by specific authentication method.

At first, I was thinking that the acr_values is proper request parameter to specify which authentication is required. But, when reading ory/fosite and OpenID Connect Core, using claims request parameter is looks proper option. However, currently, fosite does not support claims request parameter.
https://openid.net/specs/openid-connect-core-1_0.html#acrSemantics

Describe your ideal solution

If fosite support claims request parameter and validate acr on ID Token, a client can enforce end-user to authenticate by specific authentication mehtod.

How to validate is that check if ID Token's AuthenticationContextClassReference is satisfied the request on acr.values of claims parameter when the essential value is true.

Workarounds or alternatives

Use custom request parameter on the authenticate request and validate it outside of fosite.

Version

v0.40.2

Additional Context

No response

Answer 1 · 2023-01-15T00:18:26.000Z

Hello contributors!

I am marking this issue as stale as it has not received any engagement from the community or maintainers for a year. That does not imply that the issue has no merit! If you feel strongly about this issue

open a PR referencing and resolving the issue;
leave a comment on it and discuss ideas on how you could contribute towards resolving it;
leave a comment and describe in detail why this issue is critical for your use case;
open a new issue with updated details and a plan for resolving the issue.

Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic.

Unfortunately, burnout has become a topic of concern amongst open-source projects.

It can lead to severe personal and health issues as well as opening catastrophic attack vectors.

The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone.

If this issue was marked as stale erroneously you can exempt it by adding the backlog label, assigning someone, or setting a milestone for it.

Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you!

Thank you 🙏✌️