From 5d9d68106aac67af367de323e3ff3102880c4762 Mon Sep 17 00:00:00 2001
From: Engin Diri <engin.diri@mail.schwarz>
Date: Tue, 22 Feb 2022 14:49:44 +0100
Subject: [PATCH] feat: Add acr_values support for OIDC

Signed-off-by: Engin Diri <engin.diri@mail.schwarz>
---
 connector/oidc/oidc.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/connector/oidc/oidc.go b/connector/oidc/oidc.go
index b0467330..3953fc39 100644
--- a/connector/oidc/oidc.go
+++ b/connector/oidc/oidc.go
@@ -44,6 +44,11 @@ type Config struct {
 	// InsecureEnableGroups enables groups claims. This is disabled by default until https://github.com/dexidp/dex/issues/1065 is resolved
 	InsecureEnableGroups bool `json:"insecureEnableGroups"`
 
+	// AcrValues (Authentication Context Class Reference Values) that specifies the Authentication Context Class Values
+	// within the Authentication Request that the Authorization Server is being requested to use for
+	// processing requests from this Client, with the values appearing in order of preference.
+	AcrValues []string `json:"acrValues"`
+
 	// GetUserInfo uses the userinfo endpoint to get additional claims for
 	// the token. This is especially useful where upstreams return "thin"
 	// id tokens
@@ -154,6 +159,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
 		hostedDomains:             c.HostedDomains,
 		insecureSkipEmailVerified: c.InsecureSkipEmailVerified,
 		insecureEnableGroups:      c.InsecureEnableGroups,
+		acrValues:                 c.AcrValues,
 		getUserInfo:               c.GetUserInfo,
 		promptType:                c.PromptType,
 		userIDKey:                 c.UserIDKey,
@@ -180,6 +186,7 @@ type oidcConnector struct {
 	hostedDomains             []string
 	insecureSkipEmailVerified bool
 	insecureEnableGroups      bool
+	acrValues                 []string
 	getUserInfo               bool
 	promptType                string
 	userIDKey                 string
@@ -209,6 +216,11 @@ func (c *oidcConnector) LoginURL(s connector.Scopes, callbackURL, state string)
 		opts = append(opts, oauth2.SetAuthURLParam("hd", preferredDomain))
 	}
 
+	if len(c.acrValues) > 0 {
+		acrValues := strings.Join(c.acrValues, " ")
+		opts = append(opts, oauth2.SetAuthURLParam("acr_values", acrValues))
+	}
+
 	if s.OfflineAccess {
 		opts = append(opts, oauth2.AccessTypeOffline, oauth2.SetAuthURLParam("prompt", c.promptType))
 	}