fix: Fix ID-porten acr claim parsing (#1299)

## Description This fixes acr-parsing (authentication level) for real ID-porten tokens ## Related Issue(s) N/A ## Verification - [x] **Your** code builds clean without any errors or warnings - [x] Manual testing done (required) - [x] Relevant automated test added (if you find this hard, leave it and we'll help out) ## Note There is a bug in the token generator in https://github.com/Altinn/AltinnTestTools, which is still producing the old "Level3" and "Level4" acr-values.  ## Summary by CodeRabbit - **New Features** - Enhanced logic for determining authentication levels, improving efficiency and clarity. - Improved handling of authorization details for better data management. - **Tests** - Introduced unit tests for the authentication level parsing, ensuring accuracy and reliability of the new logic.
Altinn · Oct 16, 2024 · 8b8862f · 8b8862f
1 parent eb0f19b
commit 8b8862f
Show file tree

Hide file tree

Showing 2 changed files with 74 additions and 6 deletions.
diff --git a/src/Digdir.Domain.Dialogporten.Application/Common/Extensions/ClaimsPrincipalExtensions.cs b/src/Digdir.Domain.Dialogporten.Application/Common/Extensions/ClaimsPrincipalExtensions.cs
@@ -174,17 +174,26 @@ public static bool TryGetOrganizationNumber(this Claim? consumerClaim, [NotNullW
 
     public static bool TryGetAuthenticationLevel(this ClaimsPrincipal claimsPrincipal, [NotNullWhen(true)] out int? authenticationLevel)
     {
-        foreach (var claimType in new[] { IdportenAuthLevelClaim, AltinnAuthLevelClaim })
+        if (claimsPrincipal.TryGetClaimValue(AltinnAuthLevelClaim, out var claimValue) && int.TryParse(claimValue, out var level))
         {
-            if (!claimsPrincipal.TryGetClaimValue(claimType, out var claimValue)) continue;
-            // The acr claim value is "LevelX" where X is the authentication level
-            var valueToParse = claimType == IdportenAuthLevelClaim ? claimValue[5..] : claimValue;
-            if (!int.TryParse(valueToParse, out var level)) continue;
-
             authenticationLevel = level;
             return true;
         }
 
+        if (claimsPrincipal.TryGetClaimValue(IdportenAuthLevelClaim, out claimValue))
+        {
+            // The acr claim value is either "idporten-loa-substantial" (previously "Level3") or "idporten-loa-high" (previously "Level4")
+            // https://docs.digdir.no/docs/idporten/oidc/oidc_protocol_new_idporten#new-acr-values
+            authenticationLevel = claimValue switch
+            {
+                "idporten-loa-substantial" => 3,
+                "idporten-loa-high" => 4,
+                _ => null
+            };
+
+            return authenticationLevel.HasValue;
+        }
+
         authenticationLevel = null;
         return false;
     }

diff --git a/...en.Application.Unit.Tests/Features/V1/Common/Extensions/ClaimsPrincipalExtensionsTests.cs b/...en.Application.Unit.Tests/Features/V1/Common/Extensions/ClaimsPrincipalExtensionsTests.cs
@@ -0,0 +1,59 @@
+using System.Security.Claims;
+using Digdir.Domain.Dialogporten.Application.Common.Extensions;
+
+namespace Digdir.Domain.Dialogporten.Application.Unit.Tests.Features.V1.Common.Extensions;
+
+public class ClaimsPrincipalExtensionsTests
+{
+    [Fact]
+    public void TryGetAuthenticationLevel_Should_Parse_Idporten_Acr_Claim_For_Level3()
+    {
+        // Arrange
+        var claimsPrincipal = new ClaimsPrincipal(new ClaimsIdentity(new[]
+        {
+            new Claim("acr", "idporten-loa-substantial")
+        }));
+
+        // Act
+        var result = claimsPrincipal.TryGetAuthenticationLevel(out var authenticationLevel);
+
+        // Assert
+        Assert.True(result);
+        Assert.Equal(3, authenticationLevel);
+    }
+
+    [Fact]
+    public void TryGetAuthenticationLevel_Should_Parse_Idporten_Acr_Claim_For_Level4()
+    {
+        // Arrange
+        var claimsPrincipal = new ClaimsPrincipal(new ClaimsIdentity(new[]
+        {
+            new Claim("acr", "idporten-loa-high")
+        }));
+
+        // Act
+        var result = claimsPrincipal.TryGetAuthenticationLevel(out var authenticationLevel);
+
+        // Assert
+        Assert.True(result);
+        Assert.Equal(4, authenticationLevel);
+    }
+
+    [Fact]
+    public void TryGetAuthenticationLevel_Should_Parse_Altinn_Authlevel_First()
+    {
+        // Arrange
+        var claimsPrincipal = new ClaimsPrincipal(new ClaimsIdentity(new[]
+        {
+            new Claim("acr", "idporten-loa-high"),
+            new Claim("urn:altinn:authlevel", "5")
+        }));
+
+        // Act
+        var result = claimsPrincipal.TryGetAuthenticationLevel(out var authenticationLevel);
+
+        // Assert
+        Assert.True(result);
+        Assert.Equal(5, authenticationLevel);
+    }
+}