set up step_up_auth using stubbed out User.needs_identity_verification

src/djangooidc/oidc.py

@@ -89,7 +89,6 @@ class Client(oic.Client):
         """Step 2: Construct a login URL at OP's domain and send the user to it."""
         logger.debug("Creating the OpenID Connect authn request...")
         state = rndstr(size=32)
-        logger.info(session["acr_value"])
         try:
             session["state"] = state
             session["nonce"] = rndstr(size=32)
@@ -101,7 +100,9 @@ class Client(oic.Client):
                 "state": session["state"],
                 "nonce": session["nonce"],
                 "redirect_uri": self.registration_response["redirect_uris"][0],
-                "acr_values": session["acr_value"] if session["acr_value"] else self.behaviour.get("acr_value"),
+                # acr_value may be passed in session if overriding, as in the case
+                # of step up auth, otherwise get from settings.py
+                "acr_values": session.get("acr_value") or self.behaviour.get("acr_value"),
             }
 
             if extra_args is not None:
@@ -273,6 +274,11 @@ class Client(oic.Client):
 
         super(Client, self).store_response(resp, info)
 
+    def get_step_up_acr_value(self):
+        """returns the step_up_acr_value from settings
+        this helper function is called from djangooidc views"""
+        return self.behaviour.get("step_up_acr_value")
+    
     def __repr__(self):
         return "Client {} {} {}".format(
             self.client_id,

src/djangooidc/views.py

@@ -75,7 +75,7 @@ def login_callback(request):
             # if not satisfied, redirect user to login with stepped up acr_value
             if requires_step_up_auth(userinfo):
                 # add acr_value to request.session
-                request.session["acr_value"] = CLIENT.behaviour.get("step_up_acr_value")
+                request.session["acr_value"] = CLIENT.get_step_up_acr_value()
                 return CLIENT.create_authn_request(request.session)
 
             login(request, user)
@@ -87,13 +87,13 @@ def login_callback(request):
         return error_page(request, err)
 
 def requires_step_up_auth(userinfo):
-    # if User.needs_identity_verification and step_up_acr_value not in 
-    # ial returned from callback, redirect to 
-    step_up_acr_value = CLIENT.behavior.get("step_up_acr_value", "UNKNOWN")
+    """ if User.needs_identity_verification and step_up_acr_value not in
+    ial returned from callback, return True """
+    step_up_acr_value = CLIENT.get_step_up_acr_value()
     acr_value = userinfo.get("ial", "")
     uuid = userinfo.get("sub", "")
     email = userinfo.get("email", "")
-    return User.needs_identity_verification(email, uuid) and acr_value == step_up_acr_value
+    return User.needs_identity_verification(email, uuid) and acr_value != step_up_acr_value
 
 def logout(request, next_page=None):
     """Redirect the user to the authentication provider (OP) logout page."""
@@ -125,7 +125,6 @@ def logout(request, next_page=None):
         if next_page:
             request.session["next"] = next_page
 
-
 def logout_callback(request):
     """Simple redirection view: after logout, redirect to `next`."""
     next = request.session.get("next", "/")

src/registrar/models/user.py

@@ -65,7 +65,7 @@ class User(AbstractUser):
         return self.status == self.RESTRICTED
 
     @classmethod
-    def needs_identity_verification(email, uuid):
+    def needs_identity_verification(cls, email, uuid):
         return True
     
     def check_domain_invitations_on_login(self):