Do you want to request a feature or report a bug?
Bug
What is the current behavior?
Hydra is not applying acr value send in login accept request to idToken claim acr, acr is allways set to "0".
If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem.
docker exec -it hydra_hydra_1 hydra token user --client-id auth-code-client --client-secret secret --endpoint http://localhost:4444/ --port 5555 --scope openid,offlineUsing POSTMAN
curl -X GET \
'http://localhost:4444/oauth2/auth?client_id=auth-code-client&redirect_uri=http%3A%2F%2F127.0.0.1%3A5555%2Fcallback&response_type=code&scope=openid+offline&state=dvdpslouplmovbwpwlisngoy&nonce=dzcflbtjchgblfocytbpsrpf&acr_values=1+2' \
-H 'Cache-Control: no-cache' \
-H 'Postman-Token: 32167cef-0703-4e38-b339-90f47087c8e2'curl -X PUT \
http://localhost:4445/oauth2/auth/requests/login/6943d3ab880b49e7826f70e85bd20349/accept \
-H 'Cache-Control: no-cache' \
-H 'Content-Type: application/json' \
-H 'Postman-Token: ec486c1a-3a4c-409d-8b85-5d722f841eb7' \
-d '{"acr":"2", "remember":false, "remember_for":0, "subject":"[email protected]", "force_subject_identifier":"[email protected]"}'5'. Accept consent request
curl -X PUT \
http://localhost:4445/oauth2/auth/requests/consent/998f6a3ff5f043869f62699fe0488c27/accept \
-H 'Cache-Control: no-cache' \
-H 'Content-Type: application/json' \
-H 'Postman-Token: a5343561-c20c-4271-b1da-fc22723ee2de' \
-d '{"grant_scope":["openid","offline"], "remember":false, "remember_for":0}'
curl -X GET \
'http://localhost:4444/oauth2/auth?acr_values=1+2&client_id=auth-code-client&consent_verifier=37b65b5fc4134b65afbd34204b1e43f4&nonce=dzcflbtjchgblfocytbpsrpf&redirect_uri=http%3A%2F%2F127.0.0.1%3A5555%2Fcallback&response_type=code&scope=openid+offline&state=dvdpslouplmovbwpwlisngoy' \
-H 'Cache-Control: no-cache' \
-H 'Postman-Token: aef1a836-e501-48ec-804a-42fe60edc178'RESULT:
<<html>
<head></head>
<body>
<ul>
<li>Access Token:
<code>2yno3_Ahu0g7f3wFzrI8X0pJ7mQJoONEpg7JptmAbt0.1ojwpvuNJE7x5JWyk8uYbTre1quZxISesf5YT8qKKtk</code>
</li>
<li>Refresh Token:
<code>51ihQE9sC_6JVckPKdj-_OMm_CjSrUeJ9k_QPyftHAM.7rBi9Mhx6svok3A5EMAyk4wnhJSUSLHr2wUMi__MF5o</code>
</li>
<li>Expires in:
<code>2018-09-14 13:00:03.387005916 +0000 UTC m=+3725.953416942</code>
</li>
<li>ID Token:
<code>eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzozN2JhOTMxYy1hM2Q0LTQ5ZjgtYmFkYS01ZTNkZmE1MGVlZDAiLCJ0eXAiOiJKV1QifQ.eyJhY3IiOiIwIiwiYXVkIjpbImF1dGgtY29kZS1jbGllbnQiXSwiYXV0aF90aW1lIjoxNTM2OTI2MzU3LCJleHAiOjE1MzY5MzAwMDQsImlhdCI6MTUzNjkyNjQwNCwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo0NDQ0LyIsImp0aSI6IjFkYjg2NmUxLTgzZjAtNGQ3Ny04ZTQzLTEzNmMxNWE5ODUwNCIsIm5vbmNlIjoiZHpjZmxidGpjaGdibGZvY3l0YnBzcnBmIiwicmF0IjoxNTM2OTI2MzI5LCJzdWIiOiJmb29AYmFyLmNvbSJ9.FaeBqkQ71HCudW1MU5XUnQE-Yd5mOm8zqnJ46x0iqQ_pXI9IwlPqqWPaCVlZGR3DXc2RpDW5QY65g2MEKTQFCBCZUpFT8x4_MaLxlzKVQrPnVJhDLGO18YU6NSAOdGz9v4rufNb8kCLxO7iGJExoLqy-osTzf7flFibrABiwVnhmU-oHTu3jnB1F-1vXuIk-tRVEgWqkeJ8PivX8N9wx-tTElz-nW5CFX2CkdNx_3C1CCmOLf36Oxr01c0_SQjtfpmkZsAeJujFXML5Ua3QU3D50I9ivH8hQjv67QW4yycQ78l8UYX19Q3ddFbVbrhyBW0IaMKnbp3DWCsTxLU9Af42X9nbWjW9igYSutsp6Gx8uzRmurHDWXaQfB8zkZ3skCRBtzPNLUcJN53dN6nGUMzd0NS5xfNi3f9eKvZquxrbcQT0_n57CdpvY8n8dUh0LTyq-V0MGd7Vx9RSoidKtmo4vKGi-JnyoowoZ1DhaqgBFbrYDBylLit7xvQw6XpdyLi4tmnfWzegTNBl7yyN5SF8nlCvFzt03QDlQQpGx5joxP5Irb4HFiLzO1rGLIQWVw3TgD5mXgh8mdUC6b7Aru9zCo_3lbirytikyz1RnpARhy4KJvTU15XbNav9xMtwJwQl7TBCRX3T3jZTUh1dgYu1BLjQAJnphWs05lPbFeBY</code>
</li>
</ul>
</body>
</html>
jwt.io decoded IdToken:
{
"acr": "0",
"aud": [
"auth-code-client"
],
"auth_time": 1536926357,
"exp": 1536930004,
"iat": 1536926404,
"iss": "http://localhost:4444/",
"jti": "1db866e1-83f0-4d77-8e43-136c15a98504",
"nonce": "dzcflbtjchgblfocytbpsrpf",
"rat": 1536926329,
"sub": "[email protected]"
}
What is the expected behavior?
Id token should contain "acr":"2" claim
Which version of the software is affected?
V 1.0.0-beta.8 and V 1.0.0-beta.9
Edit
At first description there was error in authorisation request.
Thank you, I'll investigate this.
i think i made a mistake in authorisation request here passing acr_value instead of acr_values - that can be the couse why i dont see acr_values in oidc_context.
But acr setting is still not working... I'm gona check that today and fix issue decription if that is the case.
I'm not sure if you can set acr_value if acr_values isn't set in the request.
You ware right, i have retested the case. With proper acr_values parameter, acr is allways set to "0". I have Updated descrion and how to replicate it. Please give it a second look.
Thank you, I'll investigate this.
...how is it going any clues?
Busy schedule, will try to get it done next week.
But feel free to investigate yourself & supply a PR :)
ok, thanks :D
czw., 20 wrz 2018 o 09:49 hackerman notifications@github.com napisał(a):
But feel free to investigate yourself & supply a PR :)
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/ory/hydra/issues/1032#issuecomment-423077977, or mute
the thread
https://github.com/notifications/unsubscribe-auth/AijM5LRkhIFDWSEtGBsbIqo_-4etXSvXks5uc0iWgaJpZM4WoP2L
.
I can confirm that this is not properly propagated!
Most helpful comment
Thank you, I'll investigate this.