Apply id_token claims from the auth request to issued ID Token.

Author: rohe

src/oidcop/oidc/userinfo.py

@@ -144,7 +144,7 @@ def process_request(self, request=None, **kwargs):
             if _claims:
                 _acr_request = _claims.get("acr")
                 if _acr_request:
-                    if claims_match(_grant.authentication_event["authn_info"], _acr):
+                    if claims_match(_grant.authentication_event["authn_info"], _acr_request):
                         info["acr"] = _grant.authentication_event["authn_info"]
         else:
             info = {

src/oidcop/session/grant.py

@@ -9,6 +9,7 @@
 
 from oidcop.authn_event import AuthnEvent
 from oidcop.session import MintingNotAllowed
+from oidcop.session.claims import claims_match
 from oidcop.session.token import AccessToken
 from oidcop.session.token import AuthorizationCode
 from oidcop.session.token import IDToken
@@ -221,6 +222,13 @@ def payload_arguments(
         user_info = endpoint_context.claims_interface.get_user_claims(user_id, _claims_restriction)
         payload.update(user_info)
 
+        # Should I add the acr value
+        _release = self.claims.get(claims_release_point)
+        if _release:
+            _acr_request = _release.get("acr")
+            if claims_match(self.authentication_event["authn_info"], _acr_request):
+                payload["acr"] = self.authentication_event["authn_info"]
+
         return payload
 
     def mint_token(

tests/test_05_id_token.py

@@ -115,6 +115,11 @@ def full_path(local_file):
             "acr": INTERNETPROTOCOLPASSWORD,
             "class": "oidcop.user_authn.user.NoAuthn",
             "kwargs": {"user": "diana"},
+        },
+        "mfa": {
+            "acr": 'https://refeds.org/profile/mfa',
+            "class": "oidcop.user_authn.user.NoAuthn",
+            "kwargs": {"user": "diana"},
         }
     },
     "session_manager": {
@@ -170,15 +175,15 @@ def create_session_manager(self):
         self.session_manager = self.endpoint_context.session_manager
         self.user_id = USER_ID
 
-    def _create_session(self, auth_req, sub_type="public", sector_identifier=""):
+    def _create_session(self, auth_req, sub_type="public", sector_identifier="", authn_info=''):
         if sector_identifier:
             authz_req = auth_req.copy()
             authz_req["sector_identifier_uri"] = sector_identifier
         else:
             authz_req = auth_req
 
         client_id = authz_req["client_id"]
-        ae = create_authn_event(self.user_id)
+        ae = create_authn_event(self.user_id, authn_info=authn_info)
         return self.session_manager.create_session(
             ae, authz_req, self.user_id, client_id=client_id, sub_type=sub_type
         )
@@ -587,3 +592,20 @@ def test_id_token_info(self):
         get_sign_and_encrypt_algorithms(
             endpoint_context, client_info, payload_type="id_token", sign=True, encrypt=True
         )
+
+    def test_id_token_acr_claim(self):
+        _req = AREQS.copy()
+        _req["claims"] = {"id_token": {"acr": {"value": "https://refeds.org/profile/mfa"}}}
+
+        session_id = self._create_session(_req,authn_info="https://refeds.org/profile/mfa")
+        grant = self.session_manager[session_id]
+        code = self._mint_code(grant, session_id)
+        access_token = self._mint_access_token(grant, session_id, code)
+
+        id_token = self._mint_id_token(
+            grant, session_id, token_ref=code, access_token=access_token.value
+        )
+
+        _jwt = factory(id_token.value)
+        _id_token_content = _jwt.jwt.payload()
+        assert _id_token_content["acr"] == "https://refeds.org/profile/mfa"