GEANT OIDC plugin - using ACR value for choosing authentication flow

Esa Nuutinen esa.nuutinen at finnsokung.fi
Mon Dec 31 07:20:36 EST 2018 

Hi.I would need to implement two different authentication flows based on acr
value in the OIDC request (one is for testing and one is for actually doing
sensible authentication).Based on logs it seems that it receives the value
just fine:2018-12-31 11:06:26,430 - DEBUG
[org.geant.idpextension.oidc.profile.impl.ProcessRequestedAuthnContext:153]
- Profile Action ProcessRequestedAuthnContext: Located acr value
http://test3 in request2018-12-31 11:06:26,430 - DEBUG
[org.geant.idpextension.oidc.profile.impl.ProcessRequestedAuthnContext:184]
- Profile Action ProcessRequestedAuthnContext: Created preferred principal
context2018-12-31 11:06:26,792 - DEBUG
[net.shibboleth.idp.authn.impl.PopulateAuthenticationContext:221] - Profile
Action PopulateAuthenticationContext: Installed 1 potential authentication
flows into AuthenticationContext2018-12-31 11:06:26,873 - DEBUG
[net.shibboleth.idp.authn.impl.InitializeRequestedPrincipalContext:152] -
Profile Action InitializeRequestedPrincipalContext: Profile configuration
did not supply any default authentication methods2018-12-31 11:06:26,900 -
DEBUG [net.shibboleth.idp.authn.impl.FilterFlowsByForcedAuthn:53] - Profile
Action FilterFlowsByForcedAuthn: Request does not have forced authentication
requirement, nothing to do2018-12-31 11:06:26,921 - DEBUG
[net.shibboleth.idp.authn.impl.FilterFlowsByNonBrowserSupport:53] - Profile
Action FilterFlowsByNonBrowserSupport: Request does not have non-browser
requirement, nothing to do2018-12-31 11:06:26,941 - DEBUG
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:264] - Profile
Action SelectAuthenticationFlow: No specific Principals requested2018-12-31
11:06:26,942 - DEBUG
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:309] - Profile
Action SelectAuthenticationFlow: No usable active results available,
selecting an inactive flow2018-12-31 11:06:26,943 - DEBUG
[net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:363] - Profile
Action SelectAuthenticationFlow: Selecting inactive authentication flow
authn/prodBut it doesn't seem to be using it for
SelectingAuthenticationFlow. If I look the code, if acr has
values:idp-oidc-extension-impl/src/main/java/org/geant/idpextension/oidc/profile/impl/
ProcessRequestedAuthnContext.java        *if (acrValues != null &&
!acrValues.isEmpty()) {            for (ACR acr : acrValues) {               
log.debug("{} Located acr value {} in request", getLogPrefix(),
acr.getValue());                principals.add(new
AuthenticationContextClassReferencePrincipal(acr.getValue()));            }       
}* else if (acrClaim != null && acrClaim.getValue() != null) {           
isEssential =
acrClaim.getClaimRequirement().equals(ClaimRequirement.ESSENTIAL);           
log.debug("{} Located {} acr claim {} in id token of request",
getLogPrefix(),                   
acrClaim.getClaimRequirement().toString(), acrClaim.getValue());           
principals.add(new
AuthenticationContextClassReferencePrincipal(acrClaim.getValue()));        }
else if (acrClaim != null && !(acrClaim.getValues() != null &&
acrClaim.getValues().isEmpty())) {            isEssential =
acrClaim.getClaimRequirement().equals(ClaimRequirement.ESSENTIAL);           
for (String acr : acrClaim.getValues()) {                log.debug("{}
Located {} acr claim {} in id token of request", getLogPrefix(),                       
acrClaim.getClaimRequirement().toString(), acr);               
principals.add(new AuthenticationContextClassReferencePrincipal(acr));           
}        }        if (principals.isEmpty()) {            log.debug("{}
request did not contain any acr values, nothing to do", getLogPrefix());           
return;        }But then isEssential is always false, becaue acr had some
value defined:        if (isEssential) {            final
RequestedPrincipalContext rpCtx = new RequestedPrincipalContext();           
rpCtx.setOperator(AuthnContextComparisonTypeEnumeration.EXACT.toString());           
rpCtx.setRequestedPrincipals(principals);           
authenticationContext.addSubcontext(rpCtx, true);            log.debug("{}
Created requested principal context", getLogPrefix());            return;       
}And then after that it is setting it just as PreferredPrincipalContext:       
final PreferredPrincipalContext ppCtx = new PreferredPrincipalContext();       
ppCtx.setPreferredPrincipals(principals);       
authenticationContext.addSubcontext(ppCtx, true);Which I guess then by
passes the selection process of the flow, as it is just Preferred and not
Requested, and as far as I see in the code, if there is acr value set in the
request, there is no way of defining it to be essential... Is there some
other way that I could use acr value to choose the right authentication flow
out of two possible... ? Or how this is supposed to work with Geant OIDC
plugin? Technically for my use case this is easy to fix by chancing
isEssential to be true by default and I think it will work for me, but is
there some generic way how I could get choosing authentication flow working
with Geant OIDC plugin or is this just some bug in the code/unimplemented
feature.Or am I missing something else in the configuration related to this,
so that preferred principals would impact choosing the right authentication
flow?This is 0.8 version of plugin few months back that I'm using, so not
quite the latest from Geant OIDC git repository, because few other changes
have been required for this project too in order it to work for this project
so I'm not sure now if this part has been somehow modified already, but at
least above class haven't been changed since I pulled the code there...//
Esa



--
Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20181231/500e502a/attachment.html>

More information about the users mailing list