wip

src/djangooidc/oidc.py

@@ -89,6 +89,7 @@ class Client(oic.Client):
         """Step 2: Construct a login URL at OP's domain and send the user to it."""
         logger.debug("Creating the OpenID Connect authn request...")
         state = rndstr(size=32)
+        logger.info(session["acr_value"])
         try:
             session["state"] = state
             session["nonce"] = rndstr(size=32)
@@ -100,7 +101,7 @@ class Client(oic.Client):
                 "state": session["state"],
                 "nonce": session["nonce"],
                 "redirect_uri": self.registration_response["redirect_uris"][0],
-                "acr_values": self.behaviour.get("acr_value"),
+                "acr_values": session["acr_value"] if session["acr_value"] else self.behaviour.get("acr_value"),
             }
 
             if extra_args is not None:

src/djangooidc/views.py

@@ -11,6 +11,7 @@ from urllib.parse import parse_qs, urlencode
 
 from djangooidc.oidc import Client
 from djangooidc import exceptions as o_e
+from registrar.models import User
 
 
 logger = logging.getLogger(__name__)
@@ -56,7 +57,6 @@ def error_page(request, error):
 def openid(request):
     """Redirect the user to an authentication provider (OP)."""
     request.session["next"] = request.GET.get("next", "/")
-    request.session["acr_value"] = request.GET.get("acr_value",)
 
     try:
         return CLIENT.create_authn_request(request.session)
@@ -74,10 +74,10 @@ def login_callback(request):
             # test for need for identity verification and if it is satisfied
             # if not satisfied, redirect user to login with stepped up acr_value
             if requires_step_up_auth(userinfo):
-                return 
+                # add acr_value to request.session
-            # 
+                request.session["acr_value"] = CLIENT.behaviour.get("step_up_acr_value")
-            # if User.needs_identity_verification and step_up_acr_value not in 
+                return CLIENT.create_authn_request(request.session)
-            # ial returned from callback, redirect to 
+
             login(request, user)
             logger.info("Successfully logged in user %s" % user)
             return redirect(request.session.get("next", "/"))
@@ -87,7 +87,14 @@ def login_callback(request):
         return error_page(request, err)
 
 def requires_step_up_auth(userinfo):
-    step_up_acr_value = 
+    # if User.needs_identity_verification and step_up_acr_value not in 
+    # ial returned from callback, redirect to 
+    step_up_acr_value = CLIENT.behavior.get("step_up_acr_value", "UNKNOWN")
+    acr_value = userinfo.get("ial", "")
+    uuid = userinfo.get("sub", "")
+    email = userinfo.get("email", "")
+    return User.needs_identity_verification(email, uuid) and acr_value == step_up_acr_value
+
 def logout(request, next_page=None):
     """Redirect the user to the authentication provider (OP) logout page."""
     try:

src/registrar/config/settings.py

@@ -540,7 +540,8 @@ OIDC_PROVIDERS = {
             "response_type": "code",
             "scope": ["email", "profile:name", "phone"],
             "user_info_request": ["email", "first_name", "last_name", "phone"],
-            "acr_value": "http://idmanagement.gov/ns/assurance/ial/2",
+            "acr_value": "http://idmanagement.gov/ns/assurance/ial/1",
+            "step_up_acr_value": "http://idmanagement.gov/ns/assurance/ial/2",
         },
         "client_registration": {
             "client_id": "cisa_dotgov_registrar",
@@ -557,7 +558,8 @@ OIDC_PROVIDERS = {
             "response_type": "code",
             "scope": ["email", "profile:name", "phone"],
             "user_info_request": ["email", "first_name", "last_name", "phone"],
-            "acr_value": "http://idmanagement.gov/ns/assurance/ial/2",
+            "acr_value": "http://idmanagement.gov/ns/assurance/ial/1",
+            "step_up_acr_value": "http://idmanagement.gov/ns/assurance/ial/2",
         },
         "client_registration": {
             "client_id": ("urn:gov:cisa:openidconnect.profiles:sp:sso:cisa:dotgov_registrar"),

src/registrar/models/user.py

@@ -64,6 +64,10 @@ class User(AbstractUser):
     def is_restricted(self):
         return self.status == self.RESTRICTED
 
+    @classmethod
+    def needs_identity_verification(email, uuid):
+        return True
+    
     def check_domain_invitations_on_login(self):
         """When a user first arrives on the site, we need to retrieve any domain
         invitations that match their email address."""