diff --git a/src/djangooidc/oidc.py b/src/djangooidc/oidc.py index b2b1acd8e..074dbdd1c 100644 --- a/src/djangooidc/oidc.py +++ b/src/djangooidc/oidc.py @@ -162,7 +162,7 @@ class Client(oic.Client): logger.error(err) logger.error("Unable to parse response for %s" % state) raise o_e.AuthenticationFailed(locator=state) - + logger.info(authn_response) # ErrorResponse is not raised, it is passed back... if isinstance(authn_response, ErrorResponse): error = authn_response.get("error", "") @@ -207,7 +207,7 @@ class Client(oic.Client): logger.error(err) logger.error("Unable to request user info for %s" % state) raise o_e.AuthenticationFailed(locator=state) - + logger.info(info_response) # ErrorResponse is not raised, it is passed back... if isinstance(info_response, ErrorResponse): logger.error("Unable to get user info (%s) for %s" % (info_response.get("error", ""), state)) diff --git a/src/djangooidc/views.py b/src/djangooidc/views.py index ea893daf2..89ff6e0f8 100644 --- a/src/djangooidc/views.py +++ b/src/djangooidc/views.py @@ -56,6 +56,7 @@ def error_page(request, error): def openid(request): """Redirect the user to an authentication provider (OP).""" request.session["next"] = request.GET.get("next", "/") + request.session["acr_value"] = request.GET.get("acr_value",) try: return CLIENT.create_authn_request(request.session) @@ -70,6 +71,13 @@ def login_callback(request): userinfo = CLIENT.callback(query, request.session) user = authenticate(request=request, **userinfo) if user: + # test for need for identity verification and if it is satisfied + # if not satisfied, redirect user to login with stepped up acr_value + if requires_step_up_auth(userinfo): + return + # + # if User.needs_identity_verification and step_up_acr_value not in + # ial returned from callback, redirect to login(request, user) logger.info("Successfully logged in user %s" % user) return redirect(request.session.get("next", "/")) @@ -78,7 +86,8 @@ def login_callback(request): except Exception as err: return error_page(request, err) - +def requires_step_up_auth(userinfo): + step_up_acr_value = def logout(request, next_page=None): """Redirect the user to the authentication provider (OP) logout page.""" try: