Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dynamically Set ACR Values #137

Open
btmccollum opened this issue Dec 2, 2022 · 3 comments
Open

Dynamically Set ACR Values #137

btmccollum opened this issue Dec 2, 2022 · 3 comments

Comments

@btmccollum
Copy link

For the purposes of login/auth, I'm curious about the ability to pass a user's name when applicable to prefill a login form along with the login hint email, but it seems that in #authorize_uri that acr values can only be hardcoded from the devise initializer file, where as login hint and others are taken from params. I am not too well versed in the OpenID spec but from what I understand it seems like this shouldn't be an issue unless it implemented in this manner for potential security concerns? Is this something that would possibly be entertained as a PR or is there something I'm overlooking here?

      def authorize_uri
        client.redirect_uri = redirect_uri
        opts = {
          response_type: options.response_type,
          response_mode: options.response_mode,
          scope: options.scope,
          state: new_state,
          login_hint: params['login_hint'],
          ui_locales: params['ui_locales'],
          claims_locales: params['claims_locales'],
          prompt: options.prompt,
          nonce: (new_nonce if options.send_nonce),
          hd: options.hd,
          acr_values: options.acr_values,
        }
@seanarnold
Copy link

If I understand you correctly @btmccollum this would be useful for step up authentication.

i.e when a user already has access but they wish to access a high privilege page, you could re-auth with the acr_values set. Is that what you were thinking?

@davidwessman
Copy link
Contributor

I would really need this for the prompt option too.
Not sure about the format for that, should we just be able to pass it as parameters to the URL?

Did you think of anyway to work around this @seanarnold @btmccollum ?

@davidwessman
Copy link
Contributor

When looking through the authorized_uri-method I noticed the option allow_authorize_params and when I set it like:

config.omniauth(
    :openid_connect,
    {
      name: :provider,
      scope: %i[openid],
      discovery: true,
      pkce: true,
      response_type: :code,
      issuer: provider_url,
      allow_authorize_params: %w[prompt],
      client_options: {...}
    }
  )

then I can pass prompt=login as a parameter to the authorize endpoint 🙂
Maybe that can work for acr_values too?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@seanarnold @davidwessman @btmccollum