changeset 5665:bbde136a4c29

mod_http_oauth2: Include 'amr' claim in ID Token This essentially just says "password authentication was used". This field could later be used to indicate whether e.g. MFA was used.
author Kim Alvefur <zash@zash.se>
date Thu, 28 Sep 2023 16:38:29 +0200
parents 4b052598e435
children e5ad3f1f48bd
files mod_http_oauth2/mod_http_oauth2.lua
diffstat 1 files changed, 2 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Thu Sep 21 18:47:27 2023 -0500
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Thu Sep 28 16:38:29 2023 +0200
@@ -639,7 +639,7 @@
 			user = {
 				username = username;
 				host = module.host;
-				token = new_user_token({ username = username; host = module.host; auth_time = os.time() });
+				token = new_user_token({ username = username; host = module.host; auth_time = os.time(); amr = { "pwd" } });
 			};
 		};
 	elseif form.user_token and form.consent then
@@ -925,6 +925,7 @@
 		aud = params.client_id;
 		auth_time = auth_state.user.auth_time;
 		nonce = params.nonce;
+		amr = auth_state.user.amr;
 	});
 	local response_type = params.response_type;
 	local response_handler = response_type_handlers[response_type];