Content
View differences
Updated by Jan Sandbrink 10 months ago
### Steps to reproduce
1. Configure an OpenID Connect provider
2. In the last step, configure claims and/or ACR values
A very visible example should be is using claims like:
```text
{
"id_token": {
"acr": "taste": {
"essential": true,
"values": ["phr", "phrh", "Multi_Factor"] ["sweet", "bitter", "salty"]
}
}
}
```
**If working correctly, this will fail all SSO logins**, because it requires a claim to be present, that is not present. will never be present**!!!!!!!!!!!**
### What is the buggy behavior?
* None of them are transmitted to the identity provider when a user signs in
* No validation for missing essential claims happens
### What is the expected behavior?
* Claims should be requested from the identity provider
* Missing essential claims should be validated
1. Configure an OpenID Connect provider
2. In the last step, configure claims and/or ACR values
A very visible example should be
```text
{
"id_token": {
"acr":
"essential": true,
"values": ["phr", "phrh", "Multi_Factor"]
}
}
}
```
**If working correctly, this will fail all SSO logins**, because it requires a claim to be present, that is not present.
### What is the buggy behavior?
* None of them are transmitted to the identity provider when a user signs in
* No validation for missing essential claims happens
### What is the expected behavior?
* Claims should be requested from the identity provider
* Missing essential claims should be validated