wip

2025-05-16 17:47:02 +02:00 · 2023-12-06 13:58:47 -05:00 · 2023-12-06 13:58:47 -05:00 · 695b4199f3
commit 695b4199f3
parent 2e1ff849cf
4 changed files with 23 additions and 9 deletions
--- a/src/djangooidc/oidc.py
+++ b/src/djangooidc/oidc.py
@ -89,6 +89,7 @@ class Client(oic.Client):
        """Step 2: Construct a login URL at OP's domain and send the user to it."""
        logger.debug("Creating the OpenID Connect authn request...")
        state = rndstr(size=32)
+        logger.info(session["acr_value"])
        try:
            session["state"] = state
            session["nonce"] = rndstr(size=32)
@ -100,7 +101,7 @@ class Client(oic.Client):
                "state": session["state"],
                "nonce": session["nonce"],
                "redirect_uri": self.registration_response["redirect_uris"][0],
-                "acr_values": self.behaviour.get("acr_value"),
+                "acr_values": session["acr_value"] if session["acr_value"] else self.behaviour.get("acr_value"),
            }

            if extra_args is not None:
--- a/src/djangooidc/views.py
+++ b/src/djangooidc/views.py
@ -11,6 +11,7 @@ from urllib.parse import parse_qs, urlencode

 from djangooidc.oidc import Client
 from djangooidc import exceptions as o_e
+from registrar.models import User


 logger = logging.getLogger(__name__)
@ -56,7 +57,6 @@ def error_page(request, error):
 def openid(request):
    """Redirect the user to an authentication provider (OP)."""
    request.session["next"] = request.GET.get("next", "/")
-    request.session["acr_value"] = request.GET.get("acr_value",)

    try:
        return CLIENT.create_authn_request(request.session)
@ -74,10 +74,10 @@ def login_callback(request):
            # test for need for identity verification and if it is satisfied
            # if not satisfied, redirect user to login with stepped up acr_value
            if requires_step_up_auth(userinfo):
-                return 
-            # 
-            # if User.needs_identity_verification and step_up_acr_value not in 
-            # ial returned from callback, redirect to 
+                # add acr_value to request.session
+                request.session["acr_value"] = CLIENT.behaviour.get("step_up_acr_value")
+                return CLIENT.create_authn_request(request.session)
+
            login(request, user)
            logger.info("Successfully logged in user %s" % user)
            return redirect(request.session.get("next", "/"))
@ -87,7 +87,14 @@ def login_callback(request):
        return error_page(request, err)

 def requires_step_up_auth(userinfo):
-    step_up_acr_value = 
+    # if User.needs_identity_verification and step_up_acr_value not in 
+    # ial returned from callback, redirect to 
+    step_up_acr_value = CLIENT.behavior.get("step_up_acr_value", "UNKNOWN")
+    acr_value = userinfo.get("ial", "")
+    uuid = userinfo.get("sub", "")
+    email = userinfo.get("email", "")
+    return User.needs_identity_verification(email, uuid) and acr_value == step_up_acr_value
+
 def logout(request, next_page=None):
    """Redirect the user to the authentication provider (OP) logout page."""
    try:
--- a/src/registrar/config/settings.py
+++ b/src/registrar/config/settings.py
@ -540,7 +540,8 @@ OIDC_PROVIDERS = {
            "response_type": "code",
            "scope": ["email", "profile:name", "phone"],
            "user_info_request": ["email", "first_name", "last_name", "phone"],
-            "acr_value": "http://idmanagement.gov/ns/assurance/ial/2",
+            "acr_value": "http://idmanagement.gov/ns/assurance/ial/1",
+            "step_up_acr_value": "http://idmanagement.gov/ns/assurance/ial/2",
        },
        "client_registration": {
            "client_id": "cisa_dotgov_registrar",
@ -557,7 +558,8 @@ OIDC_PROVIDERS = {
            "response_type": "code",
            "scope": ["email", "profile:name", "phone"],
            "user_info_request": ["email", "first_name", "last_name", "phone"],
-            "acr_value": "http://idmanagement.gov/ns/assurance/ial/2",
+            "acr_value": "http://idmanagement.gov/ns/assurance/ial/1",
+            "step_up_acr_value": "http://idmanagement.gov/ns/assurance/ial/2",
        },
        "client_registration": {
            "client_id": ("urn:gov:cisa:openidconnect.profiles:sp:sso:cisa:dotgov_registrar"),
--- a/src/registrar/models/user.py
+++ b/src/registrar/models/user.py
@ -64,6 +64,10 @@ class User(AbstractUser):
    def is_restricted(self):
        return self.status == self.RESTRICTED

+    @classmethod
+    def needs_identity_verification(email, uuid):
+        return True
+    
    def check_domain_invitations_on_login(self):
        """When a user first arrives on the site, we need to retrieve any domain
        invitations that match their email address."""