Test 1: add acr_values return validation value (#1285)

* Part 1: add acr_values return validation value * Update acr return value validation from OIDC specs * acr validation prompt clarification
2025-12-22 19:23:45 +00:00 · 2021-04-27 15:17:03 -04:00
parent 1bd515e8f0
commit 17db94190e
7 changed files with 48 additions and 6 deletions
--- a/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs
+++ b/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs
@@ -333,19 +333,21 @@ namespace Bit.Core.Business.Sso
            {
                oidcOptions.Scope.AddIfNotExists(scope);
            }
+            if (!string.IsNullOrWhiteSpace(config.ExpectedReturnAcrValue))
+            {
+                oidcOptions.Scope.AddIfNotExists(OpenIdConnectScopes.Acr);
+            }

            oidcOptions.StateDataFormat = new DistributedCacheStateDataFormatter(_httpContextAccessor, name);

            // see: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest (acr_values)
            if (!string.IsNullOrWhiteSpace(config.AcrValues))
            {
-                oidcOptions.Events = new OpenIdConnectEvents
+                oidcOptions.Events ??= new OpenIdConnectEvents();
+                oidcOptions.Events.OnRedirectToIdentityProvider = ctx =>
                {
-                    OnRedirectToIdentityProvider = ctx =>
-                    {
-                        ctx.ProtocolMessage.AcrValues = config.AcrValues;
-                        return Task.CompletedTask;
-                    }
+                    ctx.ProtocolMessage.AcrValues = config.AcrValues;
+                    return Task.CompletedTask;
                };
            }