providers/oauth2: add ACR support

authentik/providers/oauth2/constants.py

@@ -17,3 +17,5 @@ SCOPE_GITHUB_USER_READ = "read:user"
 SCOPE_GITHUB_USER_EMAIL = "user:email"
 # Read info about teams
 SCOPE_GITHUB_ORG_READ = "read:org"
+
+ACR_AUTHENTIK_DEFAULT = "goauthentik.io/providers/oauth2/default"

authentik/providers/oauth2/models.py

@@ -27,6 +27,7 @@ from authentik.events.utils import get_user
 from authentik.lib.utils.template import render_to_string
 from authentik.lib.utils.time import timedelta_from_string, timedelta_string_validator
 from authentik.providers.oauth2.apps import AuthentikProviderOAuth2Config
+from authentik.providers.oauth2.constants import ACR_AUTHENTIK_DEFAULT
 from authentik.providers.oauth2.generators import (
     generate_client_id,
     generate_client_secret,
@@ -392,6 +393,7 @@ class IDToken:
     exp: Optional[int] = None
     iat: Optional[int] = None
     auth_time: Optional[int] = None
+    acr: Optional[str] = ACR_AUTHENTIK_DEFAULT
 
     nonce: Optional[str] = None
     at_hash: Optional[str] = None

authentik/providers/oauth2/views/authorize.py

@@ -135,6 +135,7 @@ class OAuthAuthorizationParams:
             code_challenge_method=query_dict.get("code_challenge_method"),
         )
 
+    # pylint: disable=too-many-branches
     def __post_init__(self):
         try:
             self.provider: OAuth2Provider = OAuth2Provider.objects.get(

authentik/providers/oauth2/views/provider.py

@@ -7,6 +7,7 @@ from django.views import View
 from structlog import get_logger
 
 from authentik.core.models import Application
+from authentik.providers.oauth2.constants import ACR_AUTHENTIK_DEFAULT
 from authentik.providers.oauth2.models import OAuth2Provider
 
 LOGGER = get_logger()
@@ -54,6 +55,7 @@ class ProviderInfoView(View):
                 "client_secret_post",
                 "client_secret_basic",
             ],
+            "acr_values_supported": [ACR_AUTHENTIK_DEFAULT],
         }
 
     # pylint: disable=unused-argument