Test 1: add acr_values return validation value (#1285)

* Part 1: add acr_values return validation value * Update acr return value validation from OIDC specs * acr validation prompt clarification
2025-07-02 16:42:50 -05:00 · 2021-04-27 15:17:03 -04:00
parent 1bd515e8f0
commit 17db94190e
7 changed files with 48 additions and 6 deletions
--- a/bitwarden_license/src/Sso/Controllers/AccountController.cs
+++ b/bitwarden_license/src/Sso/Controllers/AccountController.cs
@ -326,6 +326,16 @@ namespace Bit.Sso.Controllers

            var externalUser = result.Principal;

+            // Validate acr claim against expectation before going further
+            if (!string.IsNullOrWhiteSpace(ssoConfigData.ExpectedReturnAcrValue))
+            {
+                var acrClaim = externalUser.FindFirst(JwtClaimTypes.AuthenticationContextClassReference);
+                if (acrClaim?.Value != ssoConfigData.ExpectedReturnAcrValue)
+                {
+                    throw new Exception(_i18nService.T("AcrMissingOrInvalid"));
+                }
+            }
+
            // Ensure the NameIdentifier used is not a transient name ID, if so, we need a different attribute
            //  for the user identifier.
            static bool nameIdIsNotTransient(Claim c) => c.Type == ClaimTypes.NameIdentifier