fix(handler): oidc two factor handling (#3512)

2022-06-14 15:17:11 +10:00 · 2022-06-14 15:17:11 +10:00 · 607bbcc324
parent e786eec8b0
commit 607bbcc324
3 changed files with 28 additions and 3 deletions
--- a/internal/authentication/util.go
+++ b/internal/authentication/util.go
@ -0,0 +1,15 @@
 package authentication
 // LevelToString returns a string representation of an authentication.Level.
 func LevelToString(level Level) string {
 	switch level {
 	case NotAuthenticated:
 		return "not_authenticated"
 	case OneFactor:
 		return "one_factor"
 	case TwoFactor:
 		return "two_factor"
 	}
 	return "invalid"
 }
--- a/internal/handlers/handler_oidc_authorization_consent.go
+++ b/internal/handlers/handler_oidc_authorization_consent.go
@ -8,6 +8,8 @@ import (
 	"github.com/google/uuid"
 	"github.com/ory/fosite"
 	"github.com/authelia/authelia/v4/internal/authentication"
 	"github.com/authelia/authelia/v4/internal/authorization"
 	"github.com/authelia/authelia/v4/internal/middlewares"
 	"github.com/authelia/authelia/v4/internal/model"
 	"github.com/authelia/authelia/v4/internal/oidc"
@ -105,7 +107,7 @@ func handleOIDCAuthorizationConsentWithChallengeID(ctx *middlewares.AutheliaCtx,
 		return consent, false
 	}
-	handleOIDCAuthorizationConsentRedirect(rootURI, client, userSession, rw, r)
+	handleOIDCAuthorizationConsentRedirect(ctx, rootURI, client, userSession, rw, r, requester)
 	return consent, true
 }
@ -169,16 +171,23 @@ func handleOIDCAuthorizationConsentGenerate(ctx *middlewares.AutheliaCtx, rootUR
 		return nil, true
 	}
-	handleOIDCAuthorizationConsentRedirect(rootURI, client, userSession, rw, r)
+	handleOIDCAuthorizationConsentRedirect(ctx, rootURI, client, userSession, rw, r, requester)
 	return consent, true
 }
-func handleOIDCAuthorizationConsentRedirect(destination string, client *oidc.Client, userSession session.UserSession, rw http.ResponseWriter, r *http.Request) {
+func handleOIDCAuthorizationConsentRedirect(ctx *middlewares.AutheliaCtx, destination string, client *oidc.Client,
 	userSession session.UserSession, rw http.ResponseWriter, r *http.Request, requester fosite.AuthorizeRequester) {
 	if client.IsAuthenticationLevelSufficient(userSession.AuthenticationLevel) {
 		ctx.Logger.Debugf("Authorization Request with id '%s' on client with id '%s' authentication level '%s' is sufficient for client level '%s'", requester.GetID(), client.GetID(), authentication.LevelToString(userSession.AuthenticationLevel), authorization.LevelToPolicy(client.Policy))
 		destination = fmt.Sprintf("%s/consent", destination)
 	} else {
 		ctx.Logger.Debugf("Authorization Request with id '%s' on client with id '%s' authentication level '%s' is insufficient for client level '%s'", requester.GetID(), client.GetID(), authentication.LevelToString(userSession.AuthenticationLevel), authorization.LevelToPolicy(client.Policy))
 	}
 	ctx.Logger.Debugf("Authorization Request with id '%s' on client with id '%s' is being redirected to '%s'", requester.GetID(), client.GetID(), destination)
 	http.Redirect(rw, r, destination, http.StatusFound)
 }
--- a/internal/oidc/client_test.go
+++ b/internal/oidc/client_test.go
@ -41,6 +41,7 @@ func TestNewClient(t *testing.T) {
 	assert.Equal(t, fosite.ResponseModeFormPost, exampleClient.ResponseModes[1])
 	assert.Equal(t, fosite.ResponseModeQuery, exampleClient.ResponseModes[2])
 	assert.Equal(t, fosite.ResponseModeFragment, exampleClient.ResponseModes[3])
 	assert.Equal(t, authorization.TwoFactor, exampleClient.Policy)
 }
 func TestIsAuthenticationLevelSufficient(t *testing.T) {