Remove step up acr check

src/djangooidc/oidc.py

@@ -85,7 +85,7 @@ class Client(oic.Client):
     def create_authn_request(
         self,
         session,
-        add_acr=True,
+        do_biometric_auth=False,
         extra_args=None,
     ):
         """Step 2: Construct a login URL at OP's domain and send the user to it."""
@@ -103,10 +103,10 @@ class Client(oic.Client):
                 "nonce": session["nonce"],
                 "redirect_uri": self.registration_response["redirect_uris"][0],
             }
-            if add_acr:
+            if do_biometric_auth:
-                request_args["acr_values"] = self.behaviour.get("acr_value")
+                self._set_args_for_biometric_auth_request(session, request_args)
             else:
-                request_args["vtr"] = json.dumps(self.behaviour.get("vtr"))
+                request_args["acr_values"] = self.behaviour.get("acr_value")
 
             if extra_args is not None:
                 request_args.update(extra_args)
@@ -153,6 +153,12 @@ class Client(oic.Client):
 
         return response
 
+    def _set_args_for_biometric_auth_request(self, session, request_args):
+        if "acr_value" in session:
+            session.pop("acr_value")
+        request_args["vtr"] = self.get_vtr_value()
+        request_args["vtm"] = self.get_vtm_value()
+
     def callback(self, unparsed_response, session):
         """Step 3: Receive OP's response, request an access token, and user info."""
         logger.debug("Processing the OpenID Connect callback response...")
@@ -300,16 +306,12 @@ class Client(oic.Client):
         this helper function is called from djangooidc views"""
         return self.behaviour.get("acr_value")
 
-    def get_step_up_acr_value(self):
-        """returns the step_up_acr_value from settings
-        this helper function is called from djangooidc views"""
-        return self.behaviour.get("step_up_acr_value")
-
     def get_vtm_value(self):
         return self.behaviour.get("vtm")
     
-    def get_vtr_value(self):
+    def get_vtr_value(self, cleaned=True):
-        return self.behaviour.get("vtr")
+        vtr = self.behaviour.get("vtr")
+        return json.dumps(vtr) if cleaned else vtr
 
     def __repr__(self):
         return "Client {} {} {}".format(

src/djangooidc/views.py

@@ -93,17 +93,11 @@ def login_callback(request):
         userinfo = CLIENT.callback(query, request.session)
         # test for need for identity verification and if it is satisfied
         # if not satisfied, redirect user to login with stepped up acr_value
-        request.session["needs_biometric_validation"] = False
+        needs_biometric_validation = _requires_biometric_auth(userinfo)
-        if _requires_step_up_auth(userinfo):
+        request.session["needs_biometric_validation"] = needs_biometric_validation
-            # add acr_value to request.session
+        if needs_biometric_validation:
-            if "acr_value" in request.session:
+            return CLIENT.create_authn_request(request.session, do_biometric_auth=True)
-                request.session.pop("acr_value")
+
-            extra_args = {
-                "vtm": CLIENT.get_vtm_value(),
-            }
-            request.session["needs_biometric_validation"] = True
-            print(f"session is: {request.session}")
-            return CLIENT.create_authn_request(request.session, add_acr=False, extra_args=extra_args)
         user = authenticate(request=request, **userinfo)
         if user:
 
@@ -145,14 +139,12 @@ def login_callback(request):
         return error_page(request, err)
 
 
-def _requires_step_up_auth(userinfo):
+def _requires_biometric_auth(userinfo):
     """if User.needs_identity_verification and step_up_acr_value not in
     ial returned from callback, return True"""
-    step_up_acr_value = CLIENT.get_step_up_acr_value()
-    acr_value = userinfo.get("ial", "")
     uuid = userinfo.get("sub", "")
     email = userinfo.get("email", "")
-    if acr_value != step_up_acr_value and (not userinfo.get("vtm") and not userinfo.get("vtr")):
+    if not userinfo.get("vtm") or not userinfo.get("vtr"):
         # The acr of this attempt is not at the highest level
         # so check if the user needs the higher level
         return User.needs_identity_verification(email, uuid)

src/registrar/config/settings.py

@@ -562,7 +562,6 @@ OIDC_PROVIDERS = {
             "scope": ["email", "profile:name", "phone"],
             "user_info_request": ["email", "first_name", "last_name", "phone"],
             "acr_value": "http://idmanagement.gov/ns/assurance/ial/1",
-            "step_up_acr_value": "http://idmanagement.gov/ns/assurance/ial/2",
             "vtr": ["Pb","P1"],
             "vtm": "https://developer.login.gov/vot-trust-framework",
         },
@@ -582,7 +581,6 @@ OIDC_PROVIDERS = {
             "scope": ["email", "profile:name", "phone"],
             "user_info_request": ["email", "first_name", "last_name", "phone"],
             "acr_value": "http://idmanagement.gov/ns/assurance/ial/1",
-            "step_up_acr_value": "http://idmanagement.gov/ns/assurance/ial/2",
             # "P1" is the current IdV option; "Pb" stands for 'biometric'
             "vtr": ["Pb","P1"],
             # Stand in replacement for the step_up_acr_value for ial2