enterprise/stages/mtls: improve certificate validation (#14582)

* improve certificate validation

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix fingerprint sha1

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* new cert with fixed attributes

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add sc amr support

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

authentik/providers/oauth2/id_token.py

@@ -16,6 +16,7 @@ from authentik.providers.oauth2.constants import (
     ACR_AUTHENTIK_DEFAULT,
     AMR_MFA,
     AMR_PASSWORD,
+    AMR_SMART_CARD,
     AMR_WEBAUTHN,
 )
 from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
@@ -139,9 +140,10 @@ class IDToken:
                 amr.append(AMR_PASSWORD)
             if method == "auth_webauthn_pwl":
                 amr.append(AMR_WEBAUTHN)
+            if "certificate" in method_args:
+                amr.append(AMR_SMART_CARD)
             if "mfa_devices" in method_args:
-                if len(amr) > 0:
-                    amr.append(AMR_MFA)
+                amr.append(AMR_MFA)
             if amr:
                 id_token.amr = amr