Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(jans-auth-server): specify minimum ACR for clients #343

Closed
martynaslawinska opened this issue Feb 20, 2021 · 4 comments · Fixed by #3083
Closed

feat(jans-auth-server): specify minimum ACR for clients #343

martynaslawinska opened this issue Feb 20, 2021 · 4 comments · Fixed by #3083
Assignees
Labels
comp-jans-auth-server Component affected by issue or PR kind-feature Issue or PR is a new feature request needs-triage Issue or PR yet to be triaged. Add more labels or details that will help during triage review.

Comments

@martynaslawinska
Copy link

nynymike commented on Oct 10, 2018
Customers want to be able to force a certain level of authentication to access certain clients. Is it possible to look at the client_id, and if the current session does not match the required acr, to force authentication with the requisite acr.

yuriyz commented on Oct 10, 2018
Session tracks all clients that take part in SSO. So indeed we can check whether required level of acr is set per client or not. Do we want to have it as relative level number as defined by auth_level_mapping (on well-known json), e.g. 50 or set acr e.g. otp?

"auth_level_mapping": {
        "-1": ["auth_ldap_server"],
        "50": ["otp"],
        "100": ["basic"],
        "10": ["u2f"],
        "15": ["super_gluu"]
    }

I can take over it if needed.

qbert2k commented on Oct 12, 2018
There is already an array of default requested Authentication Context Class Reference values (default_acr_values) per client that can be overridden/forced by the request parameter acr_values.

nynymike commented on Oct 12, 2018
But only in the authentication phase. So if a person is already logged in, these are ignored. What we want to do is force reauthentication. For example, before a code is sent back to the client

@ghost ghost assigned yuriyz Dec 27, 2021
@ossdhaval
Copy link
Contributor

Tagging @nynymike as the original author

@ghost ghost unassigned yuriyz Jan 10, 2022
@ossdhaval ossdhaval transferred this issue from another repository Jan 13, 2022
@ossdhaval ossdhaval added comp-jans-auth-server Component affected by issue or PR needs-triage Issue or PR yet to be triaged. Add more labels or details that will help during triage review. labels Jan 13, 2022
moabu pushed a commit that referenced this issue Jan 13, 2022
moabu pushed a commit that referenced this issue Jan 13, 2022
@moabu moabu added this to the 1.0.1 milestone Jun 15, 2022
@moabu moabu modified the milestones: 1.0.1, 1.0.2 Jul 8, 2022
@yuriyz yuriyz self-assigned this Jul 20, 2022
@moabu moabu modified the milestones: 1.0.2, 1.0.3 Aug 30, 2022
@moabu moabu modified the milestones: 1.0.3, 1.0.4 Nov 3, 2022
@moabu moabu modified the milestones: 1.0.4, 1.0.5 Nov 14, 2022
@yuriyz
Copy link
Contributor

yuriyz commented Nov 17, 2022

There is going to be new client properties:

  • minimumAcrLevel - integer value which sets minimum acr level.
  • minimumAcrLevelAutoresolve - boolean value, if false and minimumAcrLevel is higher then current acr_values then reject request. If true - resolve acr according to either client's minimumAcrPriorityList or AS auth_level_mapping
  • minimumAcrPriorityList - enables client to specify the acr order of preference, rather then just the next lowest integer value

For example, given:

  1. minimumAcrLevel = 14
  2. default_acr_values = "basic"
  3. minimumAcrPriorityList = ["u2f", "passkey", "usb_fido_key", "super_gluu"]
  4. OP auth_level_mapping :
"auth_level_mapping": {
        "1": ["basic"],
        "5": ["otp"],
        "10": ["u2f"],
        "11": ["super_gluu"],
        "20": ["passkey"],
        "30": ["usb_fido_key"]      
    }
  • if current acr_values=u2f and minimumAcrLevelAutoresolve=false -> request is rejected
  • if current acr_values=u2f and minimumAcrLevelAutoresolve=true -> acr_values set to acr_values=passkey and request continue processing
  • if current acr_values=usb_fido_key -> current acr is higher then minimum. Thus nothing to do.

If minimumAcrPriorityList is missing, then the AS can pick the next highest acr in the auth_level_mapping. In the example above, that would be passkey.

@yuriyz yuriyz changed the title Specify Minimum ACR for clients feat(jans-auth-server): specify minimum ACR for clients Nov 17, 2022
@mo-auto mo-auto added the kind-feature Issue or PR is a new feature request label Nov 17, 2022
@nynymike
Copy link
Contributor

The client should ideally have more control over this priority. I updated your example above.

@yuriyz
Copy link
Contributor

yuriyz commented Nov 18, 2022

@nynymike I like it, agreed.

yuriyz added a commit that referenced this issue Nov 28, 2022
yuriyz added a commit that referenced this issue Nov 28, 2022
* feat(jans-auth-server): specify minimum acr for clients #343

* feat(jans-auth-server): added minimum acr properties to dynamic registration #343

* doc(jans-auth-server): added docs and updated swagger with new minimum acr related properties #343
jgomer2001 pushed a commit that referenced this issue Nov 28, 2022
* docs: docker installation (#3027)

* docs: docker installation

* docs: add quick-start page

* docs: readme.md and compose,md made identical

* docs: adjust warning as per github pages syntex

* docs: replace docker with docker compose

* docs: github page identical to compose page

* docs: remove yml file deletion

* docs: fix

* docs: fix helm chart url

* build(deps): bump zeebe-io/backport-action from 0.0.8 to 0.0.9 (#3060)

Bumps [zeebe-io/backport-action](https://github.com/zeebe-io/backport-action) from 0.0.8 to 0.0.9.
- [Release notes](https://github.com/zeebe-io/backport-action/releases)
- [Commits](korthout/backport-action@v0.0.8...v0.0.9)

---
updated-dependencies:
- dependency-name: zeebe-io/backport-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* docs: improve vm install instructions (#3091)

* docs: add sha check instructions for rhel

* docs: add sha check instructions for suse

* docs: formating and proofreading of install docs (#3092)

* feat: add custom annotation for configuration property and feature flag documentation (#2852)

* feat: add custom annotation for prop documentation

* feat: add annotation processor

* feat: annotate properties

* feat: configure annotation processor

* feat: add default value

* feat: add annotation to enum

* feat: add comment

* feat: rename annotation

* feat: rename processor class

* feat: refactor to new core module

* feat: fix test class errors

* feat: rename the module

* feat: add table and details view of content

* feat: sort properties

* feat: change wording - mandatory to required

* feat: add exception handling and logging

* feat: write file under classes output dir

* feat: create output file under target directory

* feat: rename property and file

* feat: create separate annotation for feature flags

* feat: code cleanup

* fix: add description to properties

* fix: add property descriptions from Gluu docs

* fix: add descriptions from Swagger

* fix(fido2): annotate fido config properties

* feat(scim): configure property documentation annotations

* fix: add module name to file and title

* fix: add Feature Flag descriptions

* fix: integrate doc generation with CI

* fix: add tags to generated docs

* fix: create separate sections for properties and flags

* fix: update the artifact version for jans-doc

* fix: contents of markdown files after merge

* ci: remove token req

* fix: sonar issues

* fix: sonar issues

* fix: sonar issues

* fix: move doc generation to shell script

Co-authored-by: Mohammad Abudayyeh <47318409+moabu@users.noreply.github.com>

* ci: use hotspath-storage in quickstart script

* doc: remove redundant API details sections (#3093)

* feat(jans-auth-server): specify minimum acr for clients #343 (#3083)

* feat(jans-auth-server): specify minimum acr for clients #343

* feat(jans-auth-server): added minimum acr properties to dynamic registration #343

* doc(jans-auth-server): added docs and updated swagger with new minimum acr related properties #343

* docs: add kuberentes planning guide initial points

* docs: add kuberentes planning guide initial points

* Update certificates.md (#3096)

* docs: scim logs

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Amro Misbah <amromisba7@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Dhaval D <343411+ossdhaval@users.noreply.github.com>
Co-authored-by: Mohammad Abudayyeh <47318409+moabu@users.noreply.github.com>
Co-authored-by: YuriyZ <yzabrovarniy@gmail.com>
Co-authored-by: mzico <mohib@gluu.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
comp-jans-auth-server Component affected by issue or PR kind-feature Issue or PR is a new feature request needs-triage Issue or PR yet to be triaged. Add more labels or details that will help during triage review.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants