From b9795b5c578f4fd143be14c595f47273e15eaa7b Mon Sep 17 00:00:00 2001
From: Silvan <silvan.reusser@gmail.com>
Date: Wed, 31 Aug 2022 10:16:31 +0200
Subject: [PATCH] fix(amr): add pwd because password is wrong (#4284)

* fix(amr): add pwd because password is wrong

* docs: deprecation notice

* docs: nicer wording

* Update docs/docs/apis/openidoauth/claims.md

Co-authored-by: Livio Spring <livio.a@gmail.com>

Co-authored-by: Livio Spring <livio.a@gmail.com>
---
 docs/docs/apis/openidoauth/claims.md        | 2 +-
 internal/api/oidc/auth_request_converter.go | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/docs/docs/apis/openidoauth/claims.md b/docs/docs/apis/openidoauth/claims.md
index 4ebc9b2442..5695e7d12b 100644
--- a/docs/docs/apis/openidoauth/claims.md
+++ b/docs/docs/apis/openidoauth/claims.md
@@ -43,7 +43,7 @@ Please check below the matrix for an overview where which scope is asserted.
 |:-------------------|:-----------------------------------------|-----------------------------------------------------------------------------------------------|
 | acr                | TBA                                      | TBA                                                                                           |
 | address            | `Teufener Strasse 19, 9000 St. Gallen`   | TBA                                                                                           |
-| amr                | `pwd mfa`                                | Authentication Method References as defined in [RFC8176](https://tools.ietf.org/html/rfc8176) |
+| amr                | `pwd mfa`                                | Authentication Method References as defined in [RFC8176](https://tools.ietf.org/html/rfc8176) <br/> `password` value is deprecated, please check `pwd` |
 | aud                | `69234237810729019`                      | The audience of the token, by default all client id's and the project id are included         |
 | auth_time          | `1311280969`                             | Unix time of the authentication                                                               |
 | azp                | `69234237810729234`                      | Client id of the client who requested the token                                               |
diff --git a/internal/api/oidc/auth_request_converter.go b/internal/api/oidc/auth_request_converter.go
index 927a8c377b..48729705e7 100644
--- a/internal/api/oidc/auth_request_converter.go
+++ b/internal/api/oidc/auth_request_converter.go
@@ -18,7 +18,9 @@ import (
 )
 
 const (
+	// DEPRECATED: use `amrPWD` instead
 	amrPassword     = "password"
+	amrPWD          = "pwd"
 	amrMFA          = "mfa"
 	amrOTP          = "otp"
 	amrUserPresence = "user"
@@ -40,7 +42,7 @@ func (a *AuthRequest) GetACR() string {
 func (a *AuthRequest) GetAMR() []string {
 	amr := make([]string, 0)
 	if a.PasswordVerified {
-		amr = append(amr, amrPassword)
+		amr = append(amr, amrPassword, amrPWD)
 	}
 	if len(a.MFAsVerified) > 0 {
 		amr = append(amr, amrMFA)