Is there a way for custom authentication script to insert a "amr" claim into Id Token?

By: Chee Meng Low Account Admin 06 Jun 2022 at 10:34 p.m. CDT

5 Responses
Chee Meng Low gravatar
We are developing a custom Person Authentication script that allows user to do OIDC login with a choice of authentication method (e.g. password vs password+OTP). We want to be able to indicate the authentication method actually applied in an "amr" claim in the ID Token generated by Gluu. E.g. if user chose to login with password only, the amr claim would have the value "pwd", whereas if user chose to login with password + OTP, the amr claim would have the value "pwd_otp". This is so that the OIDC Relying Party is able to tell how the user was authenticated. Is there a way (and sample code) for a custom authentication script to inject such a (additional) "claim" into the ID Token?
Gluu 4.2.3 Ubuntu 20.04
closed

Answers

By Mohib Zico staff 06 Jun 2022 at 10:46 p.m. CDT

Copy
Mohib Zico gravatar
Hi, Will try to find out if there is any custom script already available for such custom claim inside ID token available or not.

By Yuriy Zabrovarnyy staff 07 Jun 2022 at 7:06 a.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
Standard `PersonAuthenticationType` script has `Map<String, String> getAuthenticationMethodClaims(Map<String, SimpleCustomProperty> configurationAttributes);` method which allows to set `amr` claim. https://github.com/GluuFederation/oxCore/blob/version_4.2.3/core-script/src/main/java/org/gluu/model/custom/script/type/auth/PersonAuthenticationType.java#L44 Sample https://github.com/GluuFederation/community-edition-setup/blob/version_4.2.3/static/extension/person_authentication/BasicExternalAuthenticator.py#L29

By Chee Meng Low Account Admin 07 Jun 2022 at 10:11 p.m. CDT

Copy
Chee Meng Low gravatar
Thanks for your response. The sample Jython script you provided did not show an actual sample of a valid amr value to return from the getAuthenticationMethodClaims function. When I made this function return a string (such as "2fa") instead of returning None, I think it triggered some type mismatch error on oxAuth. Please advise, thanks!

By Yuriy Zabrovarnyy staff 08 Jun 2022 at 3:22 a.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
Yes, we does not have exact example, sample above point to method declaration. Returned type is `Map<String, String>`, it is not `String`, so you have to return Map. Note, that server encodes it as `key:value`. So if you put `map.put("key", "pwd" )` in `id_token` `amr` it will appear as : `"amr": ["key:pwd"]`.

By Chee Meng Low Account Admin 08 Jun 2022 at 4:37 a.m. CDT

Copy
Chee Meng Low gravatar
OK noted. It is odd that "amr" values has to be a Map (that gets converted into a list of key:value strings) -- I thought usually they are just a simple list of strings -- but I can live with this oddity for now. Thanks for the confirmation.

Post an answer