Is there a way to restrict a OIDC client to a specific subset of "acr" values?

By: Chee Meng Low Account Admin 26 Jul 2022 at 11:22 p.m. CDT

5 Responses
Chee Meng Low gravatar
My Gluu installation has a few custom authentication scripts (hence, different "acr" values) intended for different OIDC clients. I have 2 questions: a. Is it possible to configure Gluu so that a specific OIDC client is restricted to a specific "acr" value(s)? E.g.: Let's say 3 authentication scripts "acr1", "acr2", "acr3" are enabled on Gluu, but I want OIDC client A to only support "acr1", and OIDC client B to only support "acr2". b. Is it possible to configure Gluu so that "simple_password_auth" is disabled for a specific OIDC client? E.g. if I want to make sure OIDC client C only allow requests bearing "acr"s that support 2-factor authentication. Thanks in advance for any advice.
Gluu 4.4 Ubuntu 20.04
closed

Answers

By Michael Schwartz Account Admin 27 Jul 2022 at 3:45 p.m. CDT

Copy
Michael Schwartz gravatar
You could certainly enforce this in the an authn script. I would use the `default_acr` for the client to specify the preferred authn mechanism for that client. If you need more then one per client, you could perhaps use a properties file in the script (maybe a json that also specifies the priority?). Net-net, there are a few ways to accomplish this.

By Chee Meng Low Account Admin 27 Jul 2022 at 8:53 p.m. CDT

Copy
Chee Meng Low gravatar
Yes, I'm aware we can implement a "allowed-clients" property for each authentication script. That would generally work I guess. However, is there a way to also restrict the allowed clients for the out-of-the-box "simple_password_auth" ACR? I could not find any interception script of that name. Thanks for any further advice.

By Chee Meng Low Account Admin 27 Jul 2022 at 9:41 p.m. CDT

Copy
Chee Meng Low gravatar
As a further comment, "default_acr" for an OIDC client can easily be over-ridden in the /authorize call from the client, so won't achieve my intent of preventing a client from intentionally or accidentally specifying an "acr" that it should not be using.

By Mohib Zico staff 05 Aug 2022 at 11:36 p.m. CDT

Copy
Mohib Zico gravatar
Hi Chee Meng, I believe it's possible with custom authentication script. You can return `False` for Prepare for Step method. Something like... ``` def prepareForStep(self, configurationAttributes, requestParameters, step): if isClientDisabledForThisAcr return False return True ```

By Chee Meng Low Account Admin 07 Aug 2022 at 8:16 p.m. CDT

Copy
Chee Meng Low gravatar
Thanks for your response, and your suggestion does work for custom authentication scripts. But how do I do this for the out-of-the-box "simple_password_auth" ACR? I could not find an authentication script of the same name, so i'm not sure how to edit or disable it. I wanted a way to restrict certain OIDC clients to only use ACRs that require 2-factors, but I am not sure how to prevent the client from invoking OIDC flows using acr="simple_password_auth".

Post an answer