-
Notifications
You must be signed in to change notification settings - Fork 111
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LG-13038 Add user context to the AuthnContextResolver
#10517
Conversation
I marked this as a draft. I still need to add feature tests to ensure this works as expected. |
1e7cc35
to
02b863e
Compare
3cc5ba2
to
417f4cb
Compare
AuthnContextResolver
AuthnContextResolver
a8f4e04
to
ac4c97a
Compare
Support for multiple vectors for IALMax is added to the IdP in 18F/identity-idp#10517. With that change we can have IALMax-like support with vectors of trust by sending the `C1.P1,C1` vector. This commit adds that to this app.
861746e
to
c1f51ad
Compare
I have merged a bunch of changes to make this work. This should be ready for review. These changes only apply to OIDC for now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks great - awesome job with the specs cleanly going through all the use cases!
elsif non_biometric_identity_proofing_vot.present? && user&.identity_verified? | ||
non_biometric_identity_proofing_vot | ||
else | ||
parsed_vectors_of_trust.first |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am testing this in combination with 18F/identity-oidc-sinatra#163 and it looks like this is always picking C1.P1
from the vtr ["C1.P1","C1"]
. Is this correct? If we are trying to replicate ialmax, I would expect C1
to be used in those cases (this is assuming I understand what ialmax is supposed to do)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wait, reading a little more I think i am confused
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are right, there is a little bug in here. Let me fix it up. I tested with C1,C1.P1
when I should be testing with C1.P1,C1
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
476fc5a has the fix
476fc5a
to
a1f4cd5
Compare
We added support for sending multiple vectors of trust using the OIDC interface in #10517. This commit adds the same feature to the SAML interace. To send multiple vectors using SAML partners can include multiple AuthnContextNodes with a vector in each. This was enabled in 18F/saml_idp#100. [skip changelog]
We added support for sending multiple vectors of trust using the OIDC interface in #10517. This commit adds the same feature to the SAML interace. To send multiple vectors using SAML partners can include multiple AuthnContextNodes with a vector in each. This was enabled in 18F/saml_idp#100. [skip changelog]
The `AuthnContextResolver#resolve` takes the ACR values and VTR param for a spec and returns an `Vot::Parser::Result` object. This object has predicate methods such as `aal2?` and `#identity_proofing?` which describe what requirements for the given service provider request. This is necessary because these requirements are a function of the service provider settings that are stored in the database and the request from the service provider. When using vectors of trust a service provider is able to make a request with multiple valid vectors. Prior to this commit we used the first vector in the list for the service provider request. This commit makes a change to show the following preference: If a SP requests biometric comparison and the user has completed proofing with biometric comparison we select the biometric comparison vector If a SP requests identity proofing without biometric comparison and the user completed proofing we select the vector for identity proofing without biometric comparison If neither of the above is true then we continue to select the first vector. This change requires passing the user into the `AuthnContextResolver` initializer so it has access to the user context once the user signs in. The arrangement allows us to use the following vector combinations to satisfy the following use cases `C1.C2.P1.Pb,C1.C2.P1`: Existing proofed users do not need to proof again but unproofed users need to proof with a biometric `C1.C2.P1,C1.C2`: Users who have proofed have their attributes shared but unproofed users do not need to go through proofing i.e. IALMax [skip changelog]
a1f4cd5
to
3f7492e
Compare
We added support for sending multiple vectors of trust using the OIDC interface in #10517. This commit adds the same feature to the SAML interace. To send multiple vectors using SAML partners can include multiple AuthnContextNodes with a vector in each. This was enabled in 18F/saml_idp#100. [skip changelog]
We added support for sending multiple vectors of trust using the OIDC interface in #10517. This commit adds the same feature to the SAML interace. To send multiple vectors using SAML partners can include multiple AuthnContextNodes with a vector in each. This was enabled in 18F/saml_idp#100. [skip changelog]
We added support for sending multiple vectors of trust using the OIDC interface in #10517. This commit adds the same feature to the SAML interace. To send multiple vectors using SAML partners can include multiple AuthnContextNodes with a vector in each. This was enabled in 18F/saml_idp#100. [skip changelog]
We added support for sending multiple vectors of trust using the OIDC interface in #10517. This commit adds the same feature to the SAML interace. To send multiple vectors using SAML partners can include multiple AuthnContextNodes with a vector in each. This was enabled in 18F/saml_idp#100. [skip changelog]
Support for multiple vectors for IALMax is added to the IdP in 18F/identity-idp#10517. With that change we can have IALMax-like support with vectors of trust by sending the `C1.P1,C1` vector. This commit adds that to this app.
The
AuthnContextResolver#resolve
takes the ACR values and VTR param for a request and returns anVot::Parser::Result
object. This object has predicate methods such asaal2?
and#identity_proofing?
which describe the requirements for the given service provider request. This is necessary because these requirements are a function of the service provider settings that are stored in the database and the request from the service provider.When using vectors of trust a service provider is able to make a request with multiple valid vectors. Prior to this commit we used the first vector in the list for the service provider request. This commit makes a change to show the following preference:
This change requires passing the current user into the
AuthnContextResolver
initializer so it has access to the user context once the user signs in.The arrangement allows us to use the following vector combinations to satisfy the following use cases
C1.C2.P1.Pb,C1.C2.P1
: Existing proofed users do not need to proof again but unproofed users need to proof with a biometricC1.C2.P1,C1.C2
: Users who have proofed have their attributes shared but unproofed users do not need to go through proofing i.e. IALMax