Fix infinite loop

2025-05-15 00:57:02 +02:00 · 2024-05-16 12:37:14 -06:00 · 2024-05-16 12:37:14 -06:00 · f3f1b896bb
commit f3f1b896bb
parent 28e18e705b
2 changed files with 14 additions and 6 deletions
--- a/src/djangooidc/oidc.py
+++ b/src/djangooidc/oidc.py
@ -104,8 +104,9 @@ class Client(oic.Client):
                "redirect_uri": self.registration_response["redirect_uris"][0],
            }
            if add_acr:
-                request_args["acr_values"] = session.get("acr_value") or self.behaviour.get("acr_value")
-            request_args["vtr"] = json.dumps(self.behaviour.get("vtr"))
+                request_args["acr_values"] = self.behaviour.get("acr_value")
+            else:
+                request_args["vtr"] = json.dumps(self.behaviour.get("vtr"))

            if extra_args is not None:
                request_args.update(extra_args)
@ -228,9 +229,15 @@ class Client(oic.Client):
        if isinstance(info_response, ErrorResponse):
            logger.error("Unable to get user info (%s) for %s" % (info_response.get("error", ""), state))
            raise o_e.AuthenticationFailed(locator=state)
+        info_response_dict = info_response.to_dict()

-        logger.debug("user info: %s" % info_response)
-        return info_response.to_dict()
+        if "needs_biometric_validation" in session and session["needs_biometric_validation"]:
+            if "vtm" in session:
+                info_response_dict["vtm"] = session.get("vtm")
+            if "vtr" in session:
+                info_response_dict["vtr"] = session.get("vtr")
+        logger.debug("user info: %s" % info_response_dict)
+        return info_response_dict

    def _request_token(self, state, code, session):
        """Request a token from OP to allow us to then request user info."""
--- a/src/djangooidc/views.py
+++ b/src/djangooidc/views.py
@ -93,14 +93,15 @@ def login_callback(request):
        userinfo = CLIENT.callback(query, request.session)
        # test for need for identity verification and if it is satisfied
        # if not satisfied, redirect user to login with stepped up acr_value
+        request.session["needs_biometric_validation"] = False
        if _requires_step_up_auth(userinfo):
            # add acr_value to request.session
-
            if "acr_value" in request.session:
                request.session.pop("acr_value")
            extra_args = {
                "vtm": CLIENT.get_vtm_value(),
            }
+            request.session["needs_biometric_validation"] = True
            print(f"session is: {request.session}")
            return CLIENT.create_authn_request(request.session, add_acr=False, extra_args=extra_args)
        user = authenticate(request=request, **userinfo)
@ -151,7 +152,7 @@ def _requires_step_up_auth(userinfo):
    acr_value = userinfo.get("ial", "")
    uuid = userinfo.get("sub", "")
    email = userinfo.get("email", "")
-    if acr_value != step_up_acr_value:
+    if acr_value != step_up_acr_value and (not userinfo.get("vtm") and not userinfo.get("vtr")):
        # The acr of this attempt is not at the highest level
        # so check if the user needs the higher level
        return User.needs_identity_verification(email, uuid)