Issue description

Step up authentication is working fine when using as a 2nd condition with OTP.

In this case the access token has the ACR value 2.

But when the 2nd condition is  being an external IDP, the ACR value will remain 1, although we have been through 2 steps authentication.

Use case reproducer

Part I - Installing demo template

This analysis is done with the demo-template of KC 9.0.3 example which is working fine for RH-SSO 7.6.1

https://github.com/keycloak/keycloak/blob/9.0.3

 

 

1.1 Download and install RH-SSO 7.6.1

1.2 Deploy and install RH-SSO 7.6.1 Java Jboss EAP adapter.

1.3 Import the demo template from keycloak 9.0.3 located within testrealm.json

https://github.com/keycloak/keycloak/blob/9.0.3/examples/demo-template/testrealm.json

1.4. Compile and deploy
-customer-app
-product-app
-database service

1.5. Testing

test any you connect to any of the service.

 

Part II - Test of ACR value (2)

2.1 Realm demo creation / Step-up authentication flow.

create a new browser login authentication flow (called Browser step-up) extacly as described within RH-SSO doc 7.6.1

8.3.4. Creating a browser login flow with step-up mechanism
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html/server_administration_guide/configuring-authentication_server_administration_guide#step-up-flow

2.2 Configure ACR value for customer-app

Go to the customer-app, and configure the default acr value being 2.

2.3 Testing

Test that access to URL http://localhost:8080/customer-portal will require to do 2 levels of authentication

Username/password + OTP form.

2.4 Adding Acr value display

Modify the the customer-app to add a JSP which displays the ACR value of the access token.

~~~

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
        "http://www.w3.org/TR/html4/loose.dtd">
<html>
    <head>
        <title>ACR Example</title>
    </head>
    <body bgcolor="#ffffff">
        <h1>ACR  Example</h1>

<%

    KeycloakSecurityContext securityContext = (KeycloakSecurityContext) request.getAttribute(KeycloakSecurityContext.class.getName());
    AccessToken accessToken = securityContext.getToken();
%>

 

        <hr />

    <h2>Access Token - basic claims</h2>
        <p><b>subj: </b><%=accessToken.getSubject()%></p>
        <p><b>acr: </b><%=accessToken.getAcr()%></p>
        <hr />

    </body>
</html>

~~~

The way to test it is:

1. log to the customer-app
Using username/password form +OTP form

2. Invoke the OIDC URL

---> It will display the access token ACR value (2)

Part III - Test with an external IDP

3.1 Configure for the demo realm an external IDP as described in KCS:
https://access.redhat.com/solutions/6993223

-Create a new IDP realm that you will call oid1_idp1_realm
-create a new user stian/password

3.2 Disable OTP form as 2nd condition factor

3.3 Add external IDP redirector as 2nd condition factor.

3.4 Testing

-Log to http://localhost:8080/customer-portal 

---> This time, it will require to log using:
Using username/password form + external IDPform

2. Invoke the OIDC URL

---> It will display the access token ACR value (1)

 

 

IV Synthesis

When an external IDP is used as 2nd conditional factor, the Acr value will remain set to 1 in the access token, although it should have been 2.

 

===> it means that the ACR value value is incorrectly computed in this case.