LG-13038 Add user context to the AuthnContextResolver
#10517
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I marked this as a draft. I still need to add feature tests to ensure this works as expected. |
jmhooper
force-pushed
the
jmhooper-user-aware-authn-context-resolver
branch
3 times, most recently
from
1e7cc35
to
02b863e
Compare
jmhooper
force-pushed
the
jmhooper-user-aware-authn-context-resolver
branch
2 times, most recently
from
3cc5ba2
to
417f4cb
Compare
jmhooper
changed the title
AuthnContextResolverAuthnContextResolver
jmhooper
force-pushed
the
jmhooper-user-aware-authn-context-resolver
branch
from
a8f4e04
to
ac4c97a
Compare
jmhooper
added a commit
to 18F/identity-oidc-sinatra
that referenced
this pull request
May 17, 2024
Support for multiple vectors for IALMax is added to the IdP in 18F/identity-idp#10517. With that change we can have IALMax-like support with vectors of trust by sending the `C1.P1,C1` vector. This commit adds that to this app.
jmhooper
force-pushed
the
jmhooper-user-aware-authn-context-resolver
branch
from
861746e
to
c1f51ad
Compare
|
I have merged a bunch of changes to make this work. This should be ready for review. These changes only apply to OIDC for now. |
solipet
approved these changes
May 20, 2024
matthinz
reviewed
May 20, 2024
| elsif non_biometric_identity_proofing_vot.present? && user&.identity_verified? | ||
| non_biometric_identity_proofing_vot | ||
| else | ||
| parsed_vectors_of_trust.first |
There was a problem hiding this comment.
I am testing this in combination with 18F/identity-oidc-sinatra#163 and it looks like this is always picking C1.P1 from the vtr ["C1.P1","C1"]. Is this correct? If we are trying to replicate ialmax, I would expect C1 to be used in those cases (this is assuming I understand what ialmax is supposed to do)
There was a problem hiding this comment.
Wait, reading a little more I think i am confused
There was a problem hiding this comment.
You are right, there is a little bug in here. Let me fix it up. I tested with C1,C1.P1 when I should be testing with C1.P1,C1.
jmhooper
force-pushed
the
jmhooper-user-aware-authn-context-resolver
branch
from
476fc5a
to
a1f4cd5
Compare
jmhooper
added a commit
that referenced
this pull request
May 22, 2024
We added support for sending multiple vectors of trust using the OIDC interface in #10517. This commit adds the same feature to the SAML interace. To send multiple vectors using SAML partners can include multiple AuthnContextNodes with a vector in each. This was enabled in 18F/saml_idp#100. [skip changelog]
jmhooper
added a commit
that referenced
this pull request
May 22, 2024
We added support for sending multiple vectors of trust using the OIDC interface in #10517. This commit adds the same feature to the SAML interace. To send multiple vectors using SAML partners can include multiple AuthnContextNodes with a vector in each. This was enabled in 18F/saml_idp#100. [skip changelog]
The `AuthnContextResolver#resolve` takes the ACR values and VTR param for a spec and returns an `Vot::Parser::Result` object. This object has predicate methods such as `aal2?` and `#identity_proofing?` which describe what requirements for the given service provider request. This is necessary because these requirements are a function of the service provider settings that are stored in the database and the request from the service provider. When using vectors of trust a service provider is able to make a request with multiple valid vectors. Prior to this commit we used the first vector in the list for the service provider request. This commit makes a change to show the following preference: If a SP requests biometric comparison and the user has completed proofing with biometric comparison we select the biometric comparison vector If a SP requests identity proofing without biometric comparison and the user completed proofing we select the vector for identity proofing without biometric comparison If neither of the above is true then we continue to select the first vector. This change requires passing the user into the `AuthnContextResolver` initializer so it has access to the user context once the user signs in. The arrangement allows us to use the following vector combinations to satisfy the following use cases `C1.C2.P1.Pb,C1.C2.P1`: Existing proofed users do not need to proof again but unproofed users need to proof with a biometric `C1.C2.P1,C1.C2`: Users who have proofed have their attributes shared but unproofed users do not need to go through proofing i.e. IALMax [skip changelog]
jmhooper
force-pushed
the
jmhooper-user-aware-authn-context-resolver
branch
from
a1f4cd5
to
3f7492e
Compare
jmhooper
added a commit
that referenced
this pull request
May 22, 2024
We added support for sending multiple vectors of trust using the OIDC interface in #10517. This commit adds the same feature to the SAML interace. To send multiple vectors using SAML partners can include multiple AuthnContextNodes with a vector in each. This was enabled in 18F/saml_idp#100. [skip changelog]
jmhooper
added a commit
that referenced
this pull request
May 22, 2024
We added support for sending multiple vectors of trust using the OIDC interface in #10517. This commit adds the same feature to the SAML interace. To send multiple vectors using SAML partners can include multiple AuthnContextNodes with a vector in each. This was enabled in 18F/saml_idp#100. [skip changelog]
jmhooper
added a commit
that referenced
this pull request
May 22, 2024
We added support for sending multiple vectors of trust using the OIDC interface in #10517. This commit adds the same feature to the SAML interace. To send multiple vectors using SAML partners can include multiple AuthnContextNodes with a vector in each. This was enabled in 18F/saml_idp#100. [skip changelog]
mitchellhenke
pushed a commit
that referenced
this pull request
May 23, 2024
We added support for sending multiple vectors of trust using the OIDC interface in #10517. This commit adds the same feature to the SAML interace. To send multiple vectors using SAML partners can include multiple AuthnContextNodes with a vector in each. This was enabled in 18F/saml_idp#100. [skip changelog]
jmhooper
added a commit
to 18F/identity-oidc-sinatra
that referenced
this pull request
May 23, 2024
Support for multiple vectors for IALMax is added to the IdP in 18F/identity-idp#10517. With that change we can have IALMax-like support with vectors of trust by sending the `C1.P1,C1` vector. This commit adds that to this app.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The
AuthnContextResolver#resolvetakes the ACR values and VTR param for a request and returns anVot::Parser::Resultobject. This object has predicate methods such asaal2?and#identity_proofing?which describe the requirements for the given service provider request. This is necessary because these requirements are a function of the service provider settings that are stored in the database and the request from the service provider.When using vectors of trust a service provider is able to make a request with multiple valid vectors. Prior to this commit we used the first vector in the list for the service provider request. This commit makes a change to show the following preference:
This change requires passing the current user into the
AuthnContextResolverinitializer so it has access to the user context once the user signs in.The arrangement allows us to use the following vector combinations to satisfy the following use cases
C1.C2.P1.Pb,C1.C2.P1: Existing proofed users do not need to proof again but unproofed users need to proof with a biometricC1.C2.P1,C1.C2: Users who have proofed have their attributes shared but unproofed users do not need to go through proofing i.e. IALMax