Fix ID-porten acr claim

Altinn · Oct 15, 2024 · 0095dfa · 0095dfa
1 parent 378f306
commit 0095dfa
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/TokenGenerator/Services/Token.cs b/TokenGenerator/Services/Token.cs
@@ -185,7 +185,7 @@ public async Task<string> GetPersonalToken(string env, string[] scopes, uint use
                 { "pid", pid },
                 { "token_type", "Bearer" },
                 { "client_id", Guid.NewGuid().ToString() },
-                { "acr", "Level" + authLvl },
+                { "acr", GetAcrLevel(authLvl) },
                 { "scope", string.Join(' ', scopes) },
                 { "exp", dateTimeOffset.ToUnixTimeSeconds() + ttl },
                 { "iat", dateTimeOffset.ToUnixTimeSeconds() },
@@ -221,6 +221,18 @@ public async Task<string> GetPersonalToken(string env, string[] scopes, uint use
 
         }
 
+        private string GetAcrLevel(string authLvl)
+        {
+            return authLvl switch
+            {
+                "3" => "idporten-loa-substantial",
+                "4" => "idporten-loa-high",
+                // NOTE! This is not currently a value that ID-porten produces
+                // https://docs.digdir.no/docs/idporten/oidc/oidc_protocol_new_idporten#new-acr-values
+                _ => "idporten-loa-low"
+            };
+        }
+
         public async Task<string> GetConsentToken(string env, string[] serviceCodes, IQueryCollection queryParameters,
             Guid authorizationCode, string offeredBy, string coveredBy, string handledBy, uint ttl)
         {