You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If we have two Person Authentication Scripts with "the same" security level then the oxAuth's SessionIdService class re-order passed GET param acr_values with the /oxauth/authorize.htm endpoint.
If SP doesn't provide specific acr_values then Gluu picked the Default requested ACR Values' from the Advanced Settings` tab in OIDC Client. This order was following user preferred ordering (insertion order) and maintained the exact ordering when the code determined which ACR to pick.
I came across the code changes (~2yrs ago), that would unintentionally re-order passed acr_values and broke the user-preferred ordering in Default requested ACR values. This creates two different experiences between the below Gluu versions:
Setup two Person Authentication Scripts with the same security level. Named them - "Script_A and Script_B".
Add this to any OIDC Client's Default requests ACR values in reverse order as if you wanted to authenticate using "Script_B", so the order would look like "Script_B and then Script_A".
Describe the issue
If we have two Person Authentication Scripts with "the same" security level then the oxAuth's SessionIdService class re-order passed GET param
acr_valueswith the/oxauth/authorize.htmendpoint.If SP doesn't provide specific
acr_valuesthen Gluu picked theDefault requested ACR Values' from theAdvanced Settings` tab in OIDC Client. This order was following user preferred ordering (insertion order) and maintained the exact ordering when the code determined which ACR to pick.I came across the code changes (~2yrs ago), that would unintentionally re-order passed
acr_valuesand broke the user-preferred ordering in Default requested ACR values. This creates two different experiences between the below Gluu versions:[Gluu_v4.1.1] https://github.com/GluuFederation/oxAuth/blob/version_4.1.1/Server/src/main/java/org/gluu/oxauth/service/SessionIdService.java#L897-L906
[Gluu_v4.3.1] https://github.com/GluuFederation/oxAuth/blob/version_4.3.1/Server/src/main/java/org/gluu/oxauth/service/SessionIdService.java#L902-L917
EntryPoint in AuthorizeAction.java > checkPermissionGranted() - https://github.com/GluuFederation/oxAuth/blob/version_4.3.1/Server/src/main/java/org/gluu/oxauth/authorize/ws/rs/AuthorizeAction.java#L298
Steps To Reproduce
Person Authentication Scriptswith the same security level. Named them - "Script_A and Script_B".Script_Ainstead of 'Script_B(because ofHashSet` usage).Expected behavior
acr_value=Script_B+Script_Awith the same security level, consider user preferred ordering which isScript_B.Actual behavior
acr_value=Script_B+Script_Awith the same security level, not consider user-preferred ordering and pickScript_A.Desktop (please complete the following information):
The text was updated successfully, but these errors were encountered: