# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1695911909 -7200
# Node ID bbde136a4c29c957ec61139865d2a11997efe6d4
# Parent  4b052598e435d285e7019d63e80b01a1571fb374
mod_http_oauth2: Include 'amr' claim in ID Token

This essentially just says "password authentication was used". This
field could later be used to indicate whether e.g. MFA was used.

diff -r 4b052598e435 -r bbde136a4c29 mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Thu Sep 21 18:47:27 2023 -0500
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Thu Sep 28 16:38:29 2023 +0200
@@ -639,7 +639,7 @@
 			user = {
 				username = username;
 				host = module.host;
-				token = new_user_token({ username = username; host = module.host; auth_time = os.time() });
+				token = new_user_token({ username = username; host = module.host; auth_time = os.time(); amr = { "pwd" } });
 			};
 		};
 	elseif form.user_token and form.consent then
@@ -925,6 +925,7 @@
 		aud = params.client_id;
 		auth_time = auth_state.user.auth_time;
 		nonce = params.nonce;
+		amr = auth_state.user.amr;
 	});
 	local response_type = params.response_type;
 	local response_handler = response_type_handlers[response_type];