Step up authentication OpenID Connect

Written by Léonard Moustacchis

A common use case in access management is step up authentication. ForgeRock AM is very good for that. The OIDC standard talks about step up authentication and level of authentication requested by the client.

To do so, one could use acr_values which is a voluntary claim, but the openid specification says : « the Authorization Server is not required to provide this Claim in its response. »
In order to achieve that, the essential claim acr is used, it is describe in chapter 5.5.1.1. Requesting the “acr” Claim of the OpenID Core (see: http://openid.net/specs/openid-connect-core-1_0.html#acrSemantics)

In the AM console, browse to Realms >Realm Name>Services, and then click OAuth2 Provider.
Configure the mapping between acr values (in the example 1=ldapService and 2=HOTP chain) in the authorization request and AM authentication chains.

Step 1:
The url decoded value of the claims parameter:

Click on the URL
http://openam.example.com:8080/openam/oauth2/authorize?response_type=code&scope=openid%20profile&client_id=myClientID&redirect_uri=http%3A%2F%2Fopenam.example.com%3A8080%2Fopenid%2Fcb-basic.html&http://openam.example.com:8080/openam/oauth2/authorize?response_type=code&scope=openid&client_id=myClientID&redirect_uri=http%3A%2F%2Fopenam.example.com%3A8080%2Fopenid%2Fcb-basic.html&claims=%7B%22id_token%22%3A%20%7B%22acr%22%3A%7B%22essential%22%3A%20true%2C%20%22values%22%3A%5B%221%22%5D%7D%7D%7D&state=af0ifjsldkj

The user enters the login / password

The id tokens returns acr=1

Step 2:

The url decoded value of the claims parameter:

Note that this is a real step up authentication, the session is alive from step 1 to step 2, the OTP is sent to the user connected at the first step.