Skip to content

feat: Support standard OIDC MFA claims (amr, acr, auth_time)#39

Open
alexlovelltroy wants to merge 1 commit into
integration/wormholefrom
34-feature-support-standard-oidc-mfa-claims-amr-acr-auth_time
Open

feat: Support standard OIDC MFA claims (amr, acr, auth_time)#39
alexlovelltroy wants to merge 1 commit into
integration/wormholefrom
34-feature-support-standard-oidc-mfa-claims-amr-acr-auth_time

Conversation

@alexlovelltroy

Copy link
Copy Markdown
Member

Implements issue #34 - Extract and propagate standard OIDC MFA claims from upstream identity providers to enable MFA-aware authorization.

Changes

Core Implementation (pkg/tokenservice/exchange.go)

  • Extract amr (Authentication Methods Reference) from OIDC introspection
  • Extract acr (Authentication Context Class) from OIDC introspection
  • Extract auth_time (authentication timestamp) from OIDC introspection
  • Derive AuthFactors from AMR using NIST SP 800-63B factor categories:
    • Knowledge: pwd, pin, kba
    • Possession: otp, sms, hwk, swk
    • Inherence: bio, fido2, face, fpt, iris, retina, vbm
  • Map AMR to AuthMethods for backward compatibility
  • Make custom NIST claims (auth_level, auth_factors, auth_methods, session_id, session_exp, auth_events) optional instead of required

Validation Changes (pkg/token/claims.go)

  • Relax TSClaims validation to make NIST-specific claims optional
  • Preserve RFC 7519 mandatory claims (iss, sub, aud, exp, iat, nbf)
  • Convert NIST claims from required to logged warnings

Test Coverage (pkg/tokenservice/exchange_oidc_mfa_test.go)

  • Test AMR extraction from OIDC introspection
  • Test ACR extraction from OIDC introspection
  • Test auth_time extraction from OIDC introspection
  • Test AuthFactors derivation from AMR (all 3 factor categories)
  • Test backward compatibility (custom NIST + OIDC claims coexist)
  • Test OIDC-only mode (no custom NIST claims)
  • Test deriveAuthFactorsFromAMR helper (8 test cases)

Behavior Changes

Before

  • Required custom NIST claims (auth_level, auth_factors, auth_methods)
  • Token exchange failed without these non-standard claims
  • No support for standard OIDC MFA claims

After

  • Supports standard OIDC MFA claims (amr, acr, auth_time)
  • Custom NIST claims are optional (backward compatible)
  • AuthFactors auto-derived from AMR if not explicitly provided
  • AuthMethods maps to AMR for backward compatibility
  • Token exchange succeeds with OIDC-only claims

Testing

All tests pass:

  • pkg/tokenservice: 19 tests, 0 failures
  • pkg/token: 10 tests, 0 failures
  • New OIDC MFA tests: 14 tests, 0 failures

Standards Compliance

  • OIDC Core 1.0 Section 2 (AMR)
  • OIDC Core 1.0 Section 3 (ACR)
  • NIST SP 800-63B §5.2.4 (authentication context)
  • RFC 8725 (JWT Best Current Practices)

Closes #34

Pull Request Template

Thank you for your contribution! Please ensure the following before submitting:

Checklist

  • My code follows the style guidelines of this project
  • I have added/updated comments where needed
  • I have added tests that prove my fix is effective or my feature works
  • I have run make test (or equivalent) locally and all tests pass
  • DCO Sign-off: All commits are signed off (git commit -s) with my real name and email
  • REUSE Compliance:
    • Each new/modified source file has SPDX copyright and license headers
    • Any non-commentable files include a <filename>.license sidecar
    • All referenced licenses are present in the LICENSES/ directory

Description

Please include a summary of the change and which issue is fixed.
Also include relevant motivation and context.

Fixes #(issue)

Type of Change

  • Bug fix
  • New feature
  • Breaking change
  • Documentation update

For more info, see Contributing Guidelines.

Implements issue #34 - Extract and propagate standard OIDC MFA claims
from upstream identity providers to enable MFA-aware authorization.

## Changes

### Core Implementation (pkg/tokenservice/exchange.go)
- Extract `amr` (Authentication Methods Reference) from OIDC introspection
- Extract `acr` (Authentication Context Class) from OIDC introspection
- Extract `auth_time` (authentication timestamp) from OIDC introspection
- Derive `AuthFactors` from AMR using NIST SP 800-63B factor categories:
  - Knowledge: pwd, pin, kba
  - Possession: otp, sms, hwk, swk
  - Inherence: bio, fido2, face, fpt, iris, retina, vbm
- Map AMR to AuthMethods for backward compatibility
- Make custom NIST claims (auth_level, auth_factors, auth_methods,
  session_id, session_exp, auth_events) optional instead of required

### Validation Changes (pkg/token/claims.go)
- Relax TSClaims validation to make NIST-specific claims optional
- Preserve RFC 7519 mandatory claims (iss, sub, aud, exp, iat, nbf)
- Convert NIST claims from required to logged warnings

### Test Coverage (pkg/tokenservice/exchange_oidc_mfa_test.go)
- Test AMR extraction from OIDC introspection
- Test ACR extraction from OIDC introspection
- Test auth_time extraction from OIDC introspection
- Test AuthFactors derivation from AMR (all 3 factor categories)
- Test backward compatibility (custom NIST + OIDC claims coexist)
- Test OIDC-only mode (no custom NIST claims)
- Test deriveAuthFactorsFromAMR helper (8 test cases)

## Behavior Changes

### Before
- Required custom NIST claims (auth_level, auth_factors, auth_methods)
- Token exchange failed without these non-standard claims
- No support for standard OIDC MFA claims

### After
- Supports standard OIDC MFA claims (amr, acr, auth_time)
- Custom NIST claims are optional (backward compatible)
- AuthFactors auto-derived from AMR if not explicitly provided
- AuthMethods maps to AMR for backward compatibility
- Token exchange succeeds with OIDC-only claims

## Testing
All tests pass:
- pkg/tokenservice: 19 tests, 0 failures
- pkg/token: 10 tests, 0 failures
- New OIDC MFA tests: 14 tests, 0 failures

## Standards Compliance
- OIDC Core 1.0 Section 2 (AMR)
- OIDC Core 1.0 Section 3 (ACR)
- NIST SP 800-63B §5.2.4 (authentication context)
- RFC 8725 (JWT Best Current Practices)

Closes #34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant