18F · jmhooper · Feb 27, 2024 · Feb 27, 2024
diff --git a/app/services/id_token_builder.rb b/app/services/id_token_builder.rb
@@ -37,7 +37,7 @@ def jwt_payload
 
   def id_token_claims
     {
-      acr: acr,
+      acr: (acr if !sp_requests_vot?),
       vot: (vot if sp_requests_vot?),
       vtm: (IdentityConfig.store.vtm_url if sp_requests_vot?),
       nonce: identity.nonce,
@@ -74,7 +74,7 @@ def sp_requests_vot?
   end
 
   def vot
-    return nil unless identity.vtr.present?
+    return nil unless sp_requests_vot?
     resolved_authn_context_result.component_values.map(&:name).join('.')
   end
 
@@ -89,11 +89,16 @@ def determine_ial_max_acr
   def resolved_authn_context_result
     @resolved_authn_context_result ||= AuthnContextResolver.new(
       service_provider: identity.service_provider_record,
-      vtr: [identity.vtr],
+      vtr: parsed_vtr_value,
       acr_values: identity.acr_values,
     ).resolve
   end
 
+  def parsed_vtr_value
+    return nil unless sp_requests_vot?
+    JSON.parse(identity.vtr)
+  end
+
   def expires
     now.to_i + ttl
   end

diff --git a/spec/services/id_token_builder_spec.rb b/spec/services/id_token_builder_spec.rb
@@ -62,47 +62,45 @@
       expect(decoded_payload[:nonce]).to eq(identity.nonce)
     end
 
-    context 'it sets the vot' do
-      context 'sp requests vot' do
-        before do
-          allow(IdentityConfig.store).to receive(:use_vot_in_sp_requests).
-            and_return(true)
-          allow(IdentityConfig.store).to receive(:vtm_url).
-            and_return(vtm_url)
-        end
+    context 'sp request includes VTR' do
+      before do
+        allow(IdentityConfig.store).to receive(:use_vot_in_sp_requests).
+          and_return(true)
+        allow(IdentityConfig.store).to receive(:vtm_url).
+          and_return(vtm_url)
+      end
 
-        it 'sets the vot if the sp requests it' do
-          identity.vtr = 'Pb'
-          expect(decoded_payload[:vot]).to eq('C1.C2.P1.Pb')
-        end
+      it 'sets the vot if the sp requests it' do
+        identity.vtr = ['Pb'].to_json
+        expect(decoded_payload[:vot]).to eq('C1.C2.P1.Pb')
+      end
 
-        it 'sets the vtm' do
-          identity.vtr = 'Pb'
-          expect(decoded_payload[:vtm]).to eq(vtm_url)
-        end
+      it 'sets the vtm' do
+        identity.vtr = ['Pb'].to_json
+        expect(decoded_payload[:vtm]).to eq(vtm_url)
       end
+    end
 
-      context 'sp does not request vot' do
-        before do
-          allow(IdentityConfig.store).to receive(:use_vot_in_sp_requests).
-            and_return(false)
-          allow(IdentityConfig.store).to receive(:vtm_url).
-            and_return(vtm_url)
-        end
+    context 'vtr is disabled' do
+      before do
+        allow(IdentityConfig.store).to receive(:use_vot_in_sp_requests).
+          and_return(false)
+        allow(IdentityConfig.store).to receive(:vtm_url).
+          and_return(vtm_url)
+      end
 
-        it 'does not set the vot if the sp does not request it' do
-          identity.vtr = 'Pb'
-          expect(decoded_payload[:vot]).to eq nil
-        end
+      it 'does not set the vot if the sp does not request it' do
+        identity.vtr = ['Pb'].to_json
+        expect(decoded_payload[:vot]).to eq nil
+      end
 
-        it 'does not set the vtm' do
-          identity.vtr = nil
-          expect(decoded_payload[:vtm]).to eq nil
-        end
+      it 'does not set the vtm' do
+        identity.vtr = nil
+        expect(decoded_payload[:vtm]).to eq nil
       end
     end
 
-    context 'it sets the acr' do
+    context 'context sp requests ACR values' do
       context 'aal and ial request' do
         before do
           identity.aal = 2
@@ -162,6 +160,25 @@
       end
     end
 
+    context 'sp requests includes ACR values and VTR' do
+      before do
+        allow(IdentityConfig.store).to receive(:use_vot_in_sp_requests).
+          and_return(true)
+        allow(IdentityConfig.store).to receive(:vtm_url).
+          and_return(vtm_url)
+
+        identity.ial = 1
+        identity.vtr = ['C1'].to_json
+        identity.acr_values = Saml::Idp::Constants::IAL1_AUTHN_CONTEXT_CLASSREF
+      end
+
+      it 'sets the vot and vtm and it does not set an acr' do
+        expect(decoded_payload[:vot]).to eq('C1')
+        expect(decoded_payload[:vtm]).to eq(vtm_url)
+        expect(decoded_payload[:acr]).to eq(nil)
+      end
+    end
+
     it 'sets the jti to something meaningful' do
       expect(decoded_payload[:jti]).to be_present
     end