fix(amr): add pwd because password is wrong (#4284)

* fix(amr): add pwd because password is wrong * docs: deprecation notice * docs: nicer wording * Update docs/docs/apis/openidoauth/claims.md Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-02-28 21:27:22 +00:00 · 2022-08-31 10:16:31 +02:00 · 2022-08-31 10:16:31 +02:00 · b9795b5c57
commit b9795b5c57
parent 77b4fc5487
2 changed files with 4 additions and 2 deletions
--- a/docs/docs/apis/openidoauth/claims.md
+++ b/docs/docs/apis/openidoauth/claims.md
@ -43,7 +43,7 @@ Please check below the matrix for an overview where which scope is asserted.
 |:-------------------|:-----------------------------------------|-----------------------------------------------------------------------------------------------|
 | acr                | TBA                                      | TBA                                                                                           |
 | address            | `Teufener Strasse 19, 9000 St. Gallen`   | TBA                                                                                           |
-| amr                | `pwd mfa`                                | Authentication Method References as defined in [RFC8176](https://tools.ietf.org/html/rfc8176) |
+| amr                | `pwd mfa`                                | Authentication Method References as defined in [RFC8176](https://tools.ietf.org/html/rfc8176) <br/> `password` value is deprecated, please check `pwd` |
 | aud                | `69234237810729019`                      | The audience of the token, by default all client id's and the project id are included         |
 | auth_time          | `1311280969`                             | Unix time of the authentication                                                               |
 | azp                | `69234237810729234`                      | Client id of the client who requested the token                                               |
--- a/internal/api/oidc/auth_request_converter.go
+++ b/internal/api/oidc/auth_request_converter.go
@ -18,7 +18,9 @@ import (
 )

 const (
+	// DEPRECATED: use `amrPWD` instead
 	amrPassword     = "password"
+	amrPWD          = "pwd"
 	amrMFA          = "mfa"
 	amrOTP          = "otp"
 	amrUserPresence = "user"
@ -40,7 +42,7 @@ func (a *AuthRequest) GetACR() string {
 func (a *AuthRequest) GetAMR() []string {
 	amr := make([]string, 0)
 	if a.PasswordVerified {
-		amr = append(amr, amrPassword)
+		amr = append(amr, amrPassword, amrPWD)
 	}
 	if len(a.MFAsVerified) > 0 {
 		amr = append(amr, amrMFA)