claims: add amr for authentication method

app/services/session_creator.go

@@ -3,17 +3,17 @@ package services
 import (
 	"github.com/keratin/authn-server/app"
 	"github.com/keratin/authn-server/app/data"
-	"github.com/keratin/authn-server/lib/route"
 	"github.com/keratin/authn-server/app/models"
-	"github.com/keratin/authn-server/ops"
 	"github.com/keratin/authn-server/app/tokens/identities"
 	"github.com/keratin/authn-server/app/tokens/sessions"
+	"github.com/keratin/authn-server/lib/route"
+	"github.com/keratin/authn-server/ops"
 	"github.com/pkg/errors"
 )
 
 func SessionCreator(
 	accountStore data.AccountStore, refreshTokenStore data.RefreshTokenStore, keyStore data.KeyStore, actives data.Actives, cfg *app.Config, reporter ops.ErrorReporter,
-	accountID int, audience *route.Domain, existingToken *models.RefreshToken,
+	accountID int, audience *route.Domain, existingToken *models.RefreshToken, amr []string,
 ) (string, string, error) {
 	var err error
 	err = SessionEnder(refreshTokenStore, existingToken)
@@ -36,7 +36,7 @@ func SessionCreator(
 	}
 
 	// create new session token
-	session, err := sessions.New(refreshTokenStore, cfg, accountID, audience.String())
+	session, err := sessions.New(refreshTokenStore, cfg, accountID, audience.String(), amr)
 	if err != nil {
 		return "", "", errors.Wrap(err, "sessions.New")
 	}

app/services/session_creator_test.go

@@ -33,7 +33,7 @@ func TestSessionCreator(t *testing.T) {
 	t.Run("tracks last login while generating tokens", func(t *testing.T) {
 		identityToken, refreshToken, err := services.SessionCreator(
 			accountStore, refreshStore, keyStore, nil, cfg, reporter,
-			account.ID, audience, nil,
+			account.ID, audience, nil, nil,
 		)
 		assert.NoError(t, err)
 		assert.NotEmpty(t, identityToken)
@@ -48,7 +48,7 @@ func TestSessionCreator(t *testing.T) {
 		activesStore := mock.NewActives()
 		_, _, err := services.SessionCreator(
 			accountStore, refreshStore, keyStore, activesStore, cfg, reporter,
-			account.ID, audience, nil,
+			account.ID, audience, nil, nil,
 		)
 		require.NoError(t, err)
 
@@ -63,7 +63,7 @@ func TestSessionCreator(t *testing.T) {
 
 		_, _, err = services.SessionCreator(
 			accountStore, refreshStore, keyStore, nil, cfg, reporter,
-			account.ID, audience, &token,
+			account.ID, audience, &token, nil,
 		)
 		assert.NoError(t, err)
 

app/services/session_refresher_test.go

@@ -30,7 +30,7 @@ func TestSessionRefresher(t *testing.T) {
 
 	accountID := 0
 	audience := &route.Domain{Hostname: "authn.example.com", Port: "8080"}
-	session, err := sessions.New(refreshStore, cfg, accountID, audience.String())
+	session, err := sessions.New(refreshStore, cfg, accountID, audience.String(), []string{"pwd"})
 	require.NoError(t, err)
 	assert.NotEmpty(t, session.SessionID)
 

app/tokens/identities/identity.go

@@ -17,8 +17,9 @@ import (
 // Note that this type is embedded in the go client when changing:
 // https://github.com/keratin/authn-go/blob/master/authn/claims.go
 type Claims struct {
-	AuthTime  *jwt.NumericDate `json:"auth_time"`
-	SessionID string           `json:"sid"`
+	AuthTime            *jwt.NumericDate `json:"auth_time"`
+	SessionID           string           `json:"sid"`
+	AuthMethodReference []string         `json:"amr"`
 	jwt.Claims
 }
 
@@ -40,8 +41,9 @@ func (c *Claims) Sign(key *private.Key) (string, error) {
 
 func New(cfg *app.Config, session *sessions.Claims, accountID int, audience string) *Claims {
 	return &Claims{
-		AuthTime:  session.IssuedAt,
-		SessionID: session.SessionID,
+		AuthTime:            session.IssuedAt,
+		SessionID:           session.SessionID,
+		AuthMethodReference: session.AuthMethodReference,
 		Claims: jwt.Claims{
 			Issuer:   session.Issuer,
 			Subject:  strconv.Itoa(accountID),

app/tokens/identities/identity_test.go

@@ -24,7 +24,7 @@ func TestIdentityClaims(t *testing.T) {
 	}
 	key, err := private.GenerateKey(512)
 	require.NoError(t, err)
-	session, err := sessions.New(store, &cfg, 1, "example.com")
+	session, err := sessions.New(store, &cfg, 1, "example.com", []string{"pwd"})
 	require.NoError(t, err)
 
 	t.Run("includes KID", func(t *testing.T) {

app/tokens/sessions/session.go

@@ -15,9 +15,10 @@ import (
 const scope = "refresh"
 
 type Claims struct {
-	Scope     string `json:"scope"`
-	Azp       string `json:"azp"`
-	SessionID string `json:"sid"`
+	Scope               string   `json:"scope"`
+	Azp                 string   `json:"azp"`
+	SessionID           string   `json:"sid"`
+	AuthMethodReference []string `json:"amr"`
 	jwt.Claims
 }
 
@@ -58,16 +59,17 @@ func Parse(tokenStr string, cfg *app.Config) (*Claims, error) {
 	return &claims, nil
 }
 
-func New(store data.RefreshTokenStore, cfg *app.Config, accountID int, authorizedAudience string) (*Claims, error) {
+func New(store data.RefreshTokenStore, cfg *app.Config, accountID int, authorizedAudience string, amr []string) (*Claims, error) {
 	refreshToken, err := store.Create(accountID)
 	if err != nil {
 		return nil, errors.Wrap(err, "Create")
 	}
 
 	return &Claims{
-		Scope:     scope,
-		Azp:       authorizedAudience,
-		SessionID: uuid.NewString(),
+		Scope:               scope,
+		Azp:                 authorizedAudience,
+		SessionID:           uuid.NewString(),
+		AuthMethodReference: amr,
 		Claims: jwt.Claims{
 			Issuer:   cfg.AuthNURL.String(),
 			Subject:  string(refreshToken),

app/tokens/sessions/session_test.go

@@ -20,7 +20,7 @@ func TestNewAndParseAndSign(t *testing.T) {
 		SessionSigningKey: []byte("key-a-reno"),
 	}
 
-	token, err := sessions.New(store, &cfg, 658908, "example.com")
+	token, err := sessions.New(store, &cfg, 658908, "example.com", []string{"pwd"})
 	require.NoError(t, err)
 	assert.Equal(t, "refresh", token.Scope)
 	assert.Equal(t, "http://authn.example.com", token.Issuer)
@@ -51,7 +51,7 @@ func TestParseInvalidSessionJWT(t *testing.T) {
 	cfg := app.Config{AuthNURL: &authn, SessionSigningKey: key}
 
 	t.Run("old key", func(t *testing.T) {
-		token, err := sessions.New(store, &app.Config{AuthNURL: &authn}, 1, mainApp.Host)
+		token, err := sessions.New(store, &app.Config{AuthNURL: &authn}, 1, mainApp.Host, []string{"pwd"})
 		require.NoError(t, err)
 		tokenStr, err := token.Sign([]byte("old key"))
 		require.NoError(t, err)
@@ -61,7 +61,7 @@ func TestParseInvalidSessionJWT(t *testing.T) {
 	})
 
 	t.Run("different audience", func(t *testing.T) {
-		token, err := sessions.New(store, &app.Config{AuthNURL: &authn}, 2, mainApp.Host)
+		token, err := sessions.New(store, &app.Config{AuthNURL: &authn}, 2, mainApp.Host, []string{"pwd"})
 		require.NoError(t, err)
 		token.Audience = jwt.Audience{mainApp.String()}
 		tokenStr, err := token.Sign(key)

server/handlers/get_oauth_return.go

@@ -2,6 +2,7 @@ package handlers
 
 import (
 	"context"
+	"fmt"
 	"net/http"
 
 	"github.com/pkg/errors"
@@ -52,10 +53,12 @@ func GetOauthReturn(app *app.App, providerName string) http.HandlerFunc {
 			return
 		}
 
+		amr := []string{fmt.Sprintf("oauth:%s", providerName)}
+
 		// identityToken is not returned in this flow. it must be imported by the frontend like a SSO session.
 		sessionToken, _, err := services.SessionCreator(
 			app.AccountStore, app.RefreshTokenStore, app.KeyStore, app.Actives, app.Config, app.Reporter,
-			account.ID, &app.Config.ApplicationDomains[0], sessions.GetRefreshToken(r),
+			account.ID, &app.Config.ApplicationDomains[0], sessions.GetRefreshToken(r), amr,
 		)
 		if err != nil {
 			fail(errors.Wrap(err, "NewSession"))

server/handlers/get_oauth_return_test.go

@@ -50,7 +50,7 @@ func TestGetOauthReturn(t *testing.T) {
 		if !test.AssertRedirect(t, res, "https://localhost:9999/return") {
 			return
 		}
-		test.AssertSession(t, app.Config, res.Cookies())
+		test.AssertSession(t, app.Config, res.Cookies(), "oauth:test")
 
 		// creates an account
 		account, err := app.AccountStore.FindByOauthAccount("test", "something")
@@ -67,7 +67,7 @@ func TestGetOauthReturn(t *testing.T) {
 		res, err := client.WithCookie(session).Get("/oauth/test/[email protected]&state=" + state)
 		require.NoError(t, err)
 		if test.AssertRedirect(t, res, "https://localhost:9999/return") {
-			test.AssertSession(t, app.Config, res.Cookies())
+			test.AssertSession(t, app.Config, res.Cookies(), "oauth:test")
 		}
 	})
 
@@ -94,7 +94,7 @@ func TestGetOauthReturn(t *testing.T) {
 		res, err := client.Get("/oauth/test/return?code=REGISTEREDID&state=" + state)
 		require.NoError(t, err)
 		if test.AssertRedirect(t, res, "https://localhost:9999/return") {
-			test.AssertSession(t, app.Config, res.Cookies())
+			test.AssertSession(t, app.Config, res.Cookies(), "oauth:test")
 		}
 	})
 

server/handlers/post_account.go

@@ -1,13 +1,14 @@
 package handlers
 
 import (
-	"github.com/keratin/authn-server/lib/parse"
 	"net/http"
 
-	"github.com/keratin/authn-server/server/sessions"
+	"github.com/keratin/authn-server/lib/parse"
+
 	"github.com/keratin/authn-server/app"
-	"github.com/keratin/authn-server/lib/route"
 	"github.com/keratin/authn-server/app/services"
+	"github.com/keratin/authn-server/lib/route"
+	"github.com/keratin/authn-server/server/sessions"
 )
 
 func PostAccount(app *app.App) http.HandlerFunc {
@@ -36,9 +37,11 @@ func PostAccount(app *app.App) http.HandlerFunc {
 			panic(err)
 		}
 
+		amr := []string{"pwd"}
+
 		sessionToken, identityToken, err := services.SessionCreator(
 			app.AccountStore, app.RefreshTokenStore, app.KeyStore, app.Actives, app.Config, app.Reporter,
-			account.ID, route.MatchedDomain(r), sessions.GetRefreshToken(r),
+			account.ID, route.MatchedDomain(r), sessions.GetRefreshToken(r), amr,
 		)
 		if err != nil {
 			panic(err)

server/handlers/post_password.go

@@ -66,9 +66,14 @@ func PostPassword(app *app.App) http.HandlerFunc {
 			}
 		}
 
+		amr := []string{"pwd"}
+		if credentials.OTP != "" {
+			amr = append(amr, "otp")
+		}
+
 		sessionToken, identityToken, err := services.SessionCreator(
 			app.AccountStore, app.RefreshTokenStore, app.KeyStore, app.Actives, app.Config, app.Reporter,
-			accountID, route.MatchedDomain(r), sessions.GetRefreshToken(r),
+			accountID, route.MatchedDomain(r), sessions.GetRefreshToken(r), amr,
 		)
 		if err != nil {
 			panic(err)

server/handlers/post_session.go

@@ -39,9 +39,14 @@ func PostSession(app *app.App) http.HandlerFunc {
 			panic(err)
 		}
 
+		amr := []string{"pwd"}
+		if credentials.OTP != "" {
+			amr = append(amr, "otp")
+		}
+
 		sessionToken, identityToken, err := services.SessionCreator(
 			app.AccountStore, app.RefreshTokenStore, app.KeyStore, app.Actives, app.Config, app.Reporter,
-			account.ID, route.MatchedDomain(r), sessions.GetRefreshToken(r),
+			account.ID, route.MatchedDomain(r), sessions.GetRefreshToken(r), amr,
 		)
 		if err != nil {
 			panic(err)

server/handlers/post_session_test.go

@@ -32,8 +32,8 @@ func TestPostSessionSuccess(t *testing.T) {
 	require.NoError(t, err)
 
 	assert.Equal(t, http.StatusCreated, res.StatusCode)
-	test.AssertSession(t, app.Config, res.Cookies())
-	test.AssertIDTokenResponse(t, res, app.KeyStore, app.Config)
+	test.AssertSession(t, app.Config, res.Cookies(), "pwd")
+	test.AssertIDTokenResponse(t, res, app.KeyStore, app.Config, "pwd")
 }
 
 func TestPostSessionSuccessWithSession(t *testing.T) {
@@ -119,8 +119,8 @@ func TestPostSessionSuccessWithOTP(t *testing.T) {
 	require.NoError(t, err)
 
 	assert.Equal(t, http.StatusCreated, res.StatusCode)
-	test.AssertSession(t, app.Config, res.Cookies())
-	test.AssertIDTokenResponse(t, res, app.KeyStore, app.Config)
+	test.AssertSession(t, app.Config, res.Cookies(), "pwd", "otp")
+	test.AssertIDTokenResponse(t, res, app.KeyStore, app.Config, "pwd", "otp")
 }
 
 func TestPostSessionSuccessWithSessionAndTOTP(t *testing.T) {

server/handlers/post_session_token.go

@@ -41,9 +41,14 @@ func PostSessionToken(app *app.App) http.HandlerFunc {
 			panic(err)
 		}
 
+		amr := []string{"link"}
+		if credentials.OTP != "" {
+			amr = append(amr, "otp")
+		}
+
 		sessionToken, identityToken, err := services.SessionCreator(
 			app.AccountStore, app.RefreshTokenStore, app.KeyStore, app.Actives, app.Config, app.Reporter,
-			accountID, route.MatchedDomain(r), sessions.GetRefreshToken(r),
+			accountID, route.MatchedDomain(r), sessions.GetRefreshToken(r), amr,
 		)
 		if err != nil {
 			panic(err)

server/handlers/post_session_token_test.go

@@ -29,8 +29,8 @@ func TestPostSessionToken(t *testing.T) {
 
 	assertSuccess := func(t *testing.T, res *http.Response, account *models.Account) {
 		assert.Equal(t, http.StatusCreated, res.StatusCode)
-		test.AssertSession(t, app.Config, res.Cookies())
-		test.AssertIDTokenResponse(t, res, app.KeyStore, app.Config)
+		test.AssertSession(t, app.Config, res.Cookies(), "link")
+		test.AssertIDTokenResponse(t, res, app.KeyStore, app.Config, "link")
 		found, err := app.AccountStore.Find(account.ID)
 		require.NoError(t, err)
 		assert.Equal(t, found.Password, account.Password)
@@ -124,8 +124,8 @@ func TestPostSessionTokenWithOTP(t *testing.T) {
 
 	assertSuccess := func(t *testing.T, res *http.Response, account *models.Account) {
 		assert.Equal(t, http.StatusCreated, res.StatusCode)
-		test.AssertSession(t, app.Config, res.Cookies())
-		test.AssertIDTokenResponse(t, res, app.KeyStore, app.Config)
+		test.AssertSession(t, app.Config, res.Cookies(), "link", "otp")
+		test.AssertIDTokenResponse(t, res, app.KeyStore, app.Config, "link", "otp")
 		found, err := app.AccountStore.Find(account.ID)
 		require.NoError(t, err)
 		assert.Equal(t, found.Password, account.Password)

server/test/asserts.go

@@ -2,7 +2,9 @@ package test
 
 import (
 	"encoding/json"
+	"fmt"
 	"net/http"
+	"reflect"
 	"testing"
 
 	jwt "gopkg.in/square/go-jose.v2/jwt"
@@ -35,16 +37,20 @@ func AssertErrors(t *testing.T, res *http.Response, expected services.FieldError
 	assert.Equal(t, string(j), string(ReadBody(res)))
 }
 
-func AssertSession(t *testing.T, cfg *app.Config, cookies []*http.Cookie) {
+func AssertSession(t *testing.T, cfg *app.Config, cookies []*http.Cookie, expectedAMR ...string) {
 	t.Helper()
 	session := ReadCookie(cookies, cfg.SessionCookieName)
 	require.NotEmpty(t, session)
 
-	_, err := sessions.Parse(session.Value, cfg)
+	claims, err := sessions.Parse(session.Value, cfg)
 	assert.NoError(t, err)
+
+	if len(expectedAMR) > 0 {
+		assert.True(t, reflect.DeepEqual(claims.AuthMethodReference, expectedAMR), fmt.Sprintf("expected %v got %v", expectedAMR, claims.AuthMethodReference))
+	}
 }
 
-func AssertIDTokenResponse(t *testing.T, res *http.Response, keyStore data.KeyStore, cfg *app.Config) {
+func AssertIDTokenResponse(t *testing.T, res *http.Response, keyStore data.KeyStore, cfg *app.Config, expectedAMR ...string) {
 	t.Helper()
 
 	// check that the response contains the expected json
@@ -63,6 +69,9 @@ func AssertIDTokenResponse(t *testing.T, res *http.Response, keyStore data.KeySt
 	if assert.NoError(t, err) {
 		// check that the JWT contains nice things
 		assert.Equal(t, cfg.AuthNURL.String(), claims.Issuer)
+		if len(expectedAMR) > 0 {
+			assert.True(t, reflect.DeepEqual(claims.AuthMethodReference, expectedAMR), fmt.Sprintf("expected %v got %v", expectedAMR, claims.AuthMethodReference))
+		}
 	}
 }
 

server/test/sessions.go

@@ -12,7 +12,7 @@ import (
 )
 
 func CreateSession(tokenStore data.RefreshTokenStore, cfg *app.Config, accountID int) *http.Cookie {
-	sessionToken, err := sessions.New(tokenStore, cfg, accountID, cfg.ApplicationDomains[0].String())
+	sessionToken, err := sessions.New(tokenStore, cfg, accountID, cfg.ApplicationDomains[0].String(), []string{"pwd"})
 	if err != nil {
 		panic(err)
 	}