OAuth client Application fails to valide OAuth Token including the "acr" parameter issued by NAM IDP server

  • 7024599
  • 01-May-2020
  • 02-May-2020


  • Access Manager 4.5.0
  • Access Manager 4.5.1


  • Access Manager IDP server acting as OAuth / OpenID authorization server

  • Client application sends a request to retrieve and access token / id_token using the grant flow

  • The returned id_token includes the "acr" attribute but instead of string encoding it is an array which the OAuth client fails on processing

      "iss": "https://namdev.npsh.hu/nidp/oauth/nam",
      "sub": "a6de5c23826de14a831ba6de5c23826d",
      "aud": "dce9a3ab-5955-486d-a730-4cca093d1d5d",
      "exp": 1583942285,
      "iat": 1583938685,
      "acr": {
        "values": [


  • This issues has been fixed with Access Manager Version 4.5.2

  • After applying the fix the "acr" attribute should be included with the "id_token" as string
      "iss": "https://idpa.kgast.nam.com:8443/nidp/oauth/nam",
      "sub": "80a2c4e12d63db11ae0f0001021ee75e",
      "aud": "e3371584-cc69-41c6-9aef-3074585ad613",
      "exp": 1588248523,
      "iat": 1588244923,
      "acr": "secure/name/password/uri"


  • "acr" attribute has been send as array instead type string

Additional Information

As per openid specs the acr has to be of type string

OPTIONAL. Authentication Context Class Reference. String specifying an Authentication Context Class Reference value that identifies the Authentication Context Class that the authentication performed satisfied. The value "0" indicates the End-User authentication did not meet the requirements of ISO/IEC 29115 [ISO29115] level 1. Authentication using a long-lived browser cookie, for instance, is one example where the use of "level 0" is appropriate. Authentications with level 0 SHOULD NOT be used to authorize access to any resource of any monetary value. (This corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] nist_auth_level 0.) An absolute URI or an RFC 6711 [RFC6711] registered name SHOULD be used as the acr value; registered names MUST NOT be used with a different meaning than that which is registered. Parties using this claim will need to agree upon the meanings of the values used, which may be context-specific. The acr value is a case sensitive string.