diff --git a/CHANGELOG.md b/CHANGELOG.md index 6f856ac5..024702ca 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -55,6 +55,7 @@ ## Changes since v5.1.1 +- [#598](https://github.com/oauth2-proxy/oauth2-proxy/pull/598) acr_values no longer sent to IdP when empty (@ScottGuymer) - [#548](https://github.com/oauth2-proxy/oauth2-proxy/pull/548) Separate logging options out of main options structure (@JoelSpeed) - [#536](https://github.com/oauth2-proxy/oauth2-proxy/pull/536) Improvements to Session State code (@JoelSpeed) - [#573](https://github.com/oauth2-proxy/oauth2-proxy/pull/573) Properly parse redis urls for cluster and sentinel connections (@amnay-mo) diff --git a/providers/provider_default.go b/providers/provider_default.go index 74335e11..9f7ba3c5 100644 --- a/providers/provider_default.go +++ b/providers/provider_default.go @@ -94,7 +94,9 @@ func (p *ProviderData) GetLoginURL(redirectURI, state string) string { a := *p.LoginURL params, _ := url.ParseQuery(a.RawQuery) params.Set("redirect_uri", redirectURI) - params.Add("acr_values", p.AcrValues) + if p.AcrValues != "" { + params.Add("acr_values", p.AcrValues) + } if p.Prompt != "" { params.Set("prompt", p.Prompt) } else { // Legacy variant of the prompt param: diff --git a/providers/provider_default_test.go b/providers/provider_default_test.go index 658918c4..74d7096f 100644 --- a/providers/provider_default_test.go +++ b/providers/provider_default_test.go @@ -2,6 +2,7 @@ package providers import ( "context" + "net/url" "testing" "time" @@ -19,3 +20,30 @@ func TestRefresh(t *testing.T) { assert.Equal(t, false, refreshed) assert.Equal(t, nil, err) } + +func TestAcrValuesNotConfigured(t *testing.T) { + p := &ProviderData{ + LoginURL: &url.URL{ + Scheme: "http", + Host: "my.test.idp", + Path: "/oauth/authorize", + }, + } + + result := p.GetLoginURL("https://my.test.app/oauth", "") + assert.NotContains(t, result, "acr_values") +} + +func TestAcrValuesConfigured(t *testing.T) { + p := &ProviderData{ + LoginURL: &url.URL{ + Scheme: "http", + Host: "my.test.idp", + Path: "/oauth/authorize", + }, + AcrValues: "testValue", + } + + result := p.GetLoginURL("https://my.test.app/oauth", "") + assert.Contains(t, result, "acr_values=testValue") +}