feat: Support standard OIDC MFA claims (amr, acr, auth_time)#39
Open
alexlovelltroy wants to merge 1 commit into
Open
Conversation
Implements issue #34 - Extract and propagate standard OIDC MFA claims from upstream identity providers to enable MFA-aware authorization. ## Changes ### Core Implementation (pkg/tokenservice/exchange.go) - Extract `amr` (Authentication Methods Reference) from OIDC introspection - Extract `acr` (Authentication Context Class) from OIDC introspection - Extract `auth_time` (authentication timestamp) from OIDC introspection - Derive `AuthFactors` from AMR using NIST SP 800-63B factor categories: - Knowledge: pwd, pin, kba - Possession: otp, sms, hwk, swk - Inherence: bio, fido2, face, fpt, iris, retina, vbm - Map AMR to AuthMethods for backward compatibility - Make custom NIST claims (auth_level, auth_factors, auth_methods, session_id, session_exp, auth_events) optional instead of required ### Validation Changes (pkg/token/claims.go) - Relax TSClaims validation to make NIST-specific claims optional - Preserve RFC 7519 mandatory claims (iss, sub, aud, exp, iat, nbf) - Convert NIST claims from required to logged warnings ### Test Coverage (pkg/tokenservice/exchange_oidc_mfa_test.go) - Test AMR extraction from OIDC introspection - Test ACR extraction from OIDC introspection - Test auth_time extraction from OIDC introspection - Test AuthFactors derivation from AMR (all 3 factor categories) - Test backward compatibility (custom NIST + OIDC claims coexist) - Test OIDC-only mode (no custom NIST claims) - Test deriveAuthFactorsFromAMR helper (8 test cases) ## Behavior Changes ### Before - Required custom NIST claims (auth_level, auth_factors, auth_methods) - Token exchange failed without these non-standard claims - No support for standard OIDC MFA claims ### After - Supports standard OIDC MFA claims (amr, acr, auth_time) - Custom NIST claims are optional (backward compatible) - AuthFactors auto-derived from AMR if not explicitly provided - AuthMethods maps to AMR for backward compatibility - Token exchange succeeds with OIDC-only claims ## Testing All tests pass: - pkg/tokenservice: 19 tests, 0 failures - pkg/token: 10 tests, 0 failures - New OIDC MFA tests: 14 tests, 0 failures ## Standards Compliance - OIDC Core 1.0 Section 2 (AMR) - OIDC Core 1.0 Section 3 (ACR) - NIST SP 800-63B §5.2.4 (authentication context) - RFC 8725 (JWT Best Current Practices) Closes #34
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements issue #34 - Extract and propagate standard OIDC MFA claims from upstream identity providers to enable MFA-aware authorization.
Changes
Core Implementation (pkg/tokenservice/exchange.go)
amr(Authentication Methods Reference) from OIDC introspectionacr(Authentication Context Class) from OIDC introspectionauth_time(authentication timestamp) from OIDC introspectionAuthFactorsfrom AMR using NIST SP 800-63B factor categories:Validation Changes (pkg/token/claims.go)
Test Coverage (pkg/tokenservice/exchange_oidc_mfa_test.go)
Behavior Changes
Before
After
Testing
All tests pass:
Standards Compliance
Closes #34
Pull Request Template
Thank you for your contribution! Please ensure the following before submitting:
Checklist
make test(or equivalent) locally and all tests passgit commit -s) with my real name and email<filename>.licensesidecarLICENSES/directoryDescription
Please include a summary of the change and which issue is fixed.
Also include relevant motivation and context.
Fixes #(issue)
Type of Change
For more info, see Contributing Guidelines.