Show acr claim in the introspection response

indigo-iam · Feb 19, 2025 · 2a16b96 · 2a16b96
1 parent 347f25e
commit 2a16b96
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 6 deletions.
diff --git a/...n/java/it/infn/mw/iam/core/oauth/profile/aarc/AarcJWTProfileTokenIntrospectionHelper.java b/...n/java/it/infn/mw/iam/core/oauth/profile/aarc/AarcJWTProfileTokenIntrospectionHelper.java
@@ -86,6 +86,8 @@ public Map<String, Object> assembleIntrospectionResult(OAuth2AccessTokenEntity a
       }
     }
 
+    addAcrClaimIfNeeded(accessToken, result);
+
     return result;
   }
 

diff --git a/...rvice/src/main/java/it/infn/mw/iam/core/oauth/profile/common/BaseIntrospectionHelper.java b/...rvice/src/main/java/it/infn/mw/iam/core/oauth/profile/common/BaseIntrospectionHelper.java
@@ -108,6 +108,20 @@ protected void addAudience(Map<String, Object> introspectionResult,
 
   }
 
+  protected void addAcrClaimIfNeeded(OAuth2AccessTokenEntity accessToken,
+      Map<String, Object> introspectionResult) {
+
+    try {
+      Object acr = accessToken.getJwt().getJWTClaimsSet().getClaim("acr");
+      if (acr instanceof String acrString) {
+        introspectionResult.put("acr", acrString);
+      }
+    } catch (ParseException e) {
+      LOG.error("Error getting acr claim out of access token: {}", e.getMessage(), e);
+    }
+
+  }
+
   protected Set<String> filterScopes(OAuth2AccessTokenEntity accessToken, Set<String> authScopes) {
 
     Set<ScopeMatcher> matchers = authScopes.stream()

diff --git a/...ain/java/it/infn/mw/iam/core/oauth/profile/iam/IamJWTProfileTokenIntrospectionHelper.java b/...ain/java/it/infn/mw/iam/core/oauth/profile/iam/IamJWTProfileTokenIntrospectionHelper.java
@@ -54,9 +54,9 @@ public Map<String, Object> assembleIntrospectionResult(OAuth2AccessTokenEntity a
 
     // Intersection of scopes authorized for the client and scopes linked to the
     // access token, using the scope matchers registry
-    
+
     Set<String> scopes = filterScopes(accessToken, authScopes);
-    
+
     addScopeClaim(result, scopes);
 
     if (userInfo != null) {
@@ -80,6 +80,8 @@ public Map<String, Object> assembleIntrospectionResult(OAuth2AccessTokenEntity a
       }
     }
 
+    addAcrClaimIfNeeded(accessToken, result);
+
     return result;
   }
 

diff --git a/...src/main/java/it/infn/mw/iam/core/oauth/profile/keycloak/KeycloakIntrospectionHelper.java b/...src/main/java/it/infn/mw/iam/core/oauth/profile/keycloak/KeycloakIntrospectionHelper.java
@@ -47,14 +47,15 @@ public Map<String, Object> assembleIntrospectionResult(OAuth2AccessTokenEntity a
     addIssuerClaim(result);
     addAudience(result, accessToken);
     addScopeClaim(result, filterScopes(accessToken, authScopes));
-
-    Set<String> groups =
-        groupHelper.resolveGroupNames(((UserInfoAdapter) userInfo).getUserinfo());
+
+    Set<String> groups = groupHelper.resolveGroupNames(((UserInfoAdapter) userInfo).getUserinfo());
 
     if (!groups.isEmpty()) {
       result.put(KeycloakGroupHelper.KEYCLOAK_ROLES_CLAIM, groups);
     }
 
+    addAcrClaimIfNeeded(accessToken, result);
+
     return result;
   }
 

diff --git a/...service/src/main/java/it/infn/mw/iam/core/oauth/profile/wlcg/WLCGIntrospectionHelper.java b/...service/src/main/java/it/infn/mw/iam/core/oauth/profile/wlcg/WLCGIntrospectionHelper.java
@@ -47,14 +47,16 @@ public Map<String, Object> assembleIntrospectionResult(OAuth2AccessTokenEntity a
     addIssuerClaim(result);
     addAudience(result, accessToken);
     addScopeClaim(result, filterScopes(accessToken, authScopes));
-    
+
     Set<String> groups =
         groupHelper.resolveGroupNames(accessToken, ((UserInfoAdapter) userInfo).getUserinfo());
 
     if (!groups.isEmpty()) {
       result.put(WLCGGroupHelper.WLCG_GROUPS_SCOPE, groups);
     }
 
+    addAcrClaimIfNeeded(accessToken, result);
+
     return result;
   }
-Original file line number
+Diff line change
@@ Expand Up @@
           }
         }
+        addAcrClaimIfNeeded(accessToken, result);
         return result;
       }
@@ Expand Down @@