mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
fix(handler): oidc two factor handling (#3512)
This commit is contained in:
parent
e786eec8b0
commit
607bbcc324
15
internal/authentication/util.go
Normal file
15
internal/authentication/util.go
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
package authentication
|
||||||
|
|
||||||
|
// LevelToString returns a string representation of an authentication.Level.
|
||||||
|
func LevelToString(level Level) string {
|
||||||
|
switch level {
|
||||||
|
case NotAuthenticated:
|
||||||
|
return "not_authenticated"
|
||||||
|
case OneFactor:
|
||||||
|
return "one_factor"
|
||||||
|
case TwoFactor:
|
||||||
|
return "two_factor"
|
||||||
|
}
|
||||||
|
|
||||||
|
return "invalid"
|
||||||
|
}
|
|
@ -8,6 +8,8 @@ import (
|
||||||
"github.com/google/uuid"
|
"github.com/google/uuid"
|
||||||
"github.com/ory/fosite"
|
"github.com/ory/fosite"
|
||||||
|
|
||||||
|
"github.com/authelia/authelia/v4/internal/authentication"
|
||||||
|
"github.com/authelia/authelia/v4/internal/authorization"
|
||||||
"github.com/authelia/authelia/v4/internal/middlewares"
|
"github.com/authelia/authelia/v4/internal/middlewares"
|
||||||
"github.com/authelia/authelia/v4/internal/model"
|
"github.com/authelia/authelia/v4/internal/model"
|
||||||
"github.com/authelia/authelia/v4/internal/oidc"
|
"github.com/authelia/authelia/v4/internal/oidc"
|
||||||
|
@ -105,7 +107,7 @@ func handleOIDCAuthorizationConsentWithChallengeID(ctx *middlewares.AutheliaCtx,
|
||||||
return consent, false
|
return consent, false
|
||||||
}
|
}
|
||||||
|
|
||||||
handleOIDCAuthorizationConsentRedirect(rootURI, client, userSession, rw, r)
|
handleOIDCAuthorizationConsentRedirect(ctx, rootURI, client, userSession, rw, r, requester)
|
||||||
|
|
||||||
return consent, true
|
return consent, true
|
||||||
}
|
}
|
||||||
|
@ -169,16 +171,23 @@ func handleOIDCAuthorizationConsentGenerate(ctx *middlewares.AutheliaCtx, rootUR
|
||||||
return nil, true
|
return nil, true
|
||||||
}
|
}
|
||||||
|
|
||||||
handleOIDCAuthorizationConsentRedirect(rootURI, client, userSession, rw, r)
|
handleOIDCAuthorizationConsentRedirect(ctx, rootURI, client, userSession, rw, r, requester)
|
||||||
|
|
||||||
return consent, true
|
return consent, true
|
||||||
}
|
}
|
||||||
|
|
||||||
func handleOIDCAuthorizationConsentRedirect(destination string, client *oidc.Client, userSession session.UserSession, rw http.ResponseWriter, r *http.Request) {
|
func handleOIDCAuthorizationConsentRedirect(ctx *middlewares.AutheliaCtx, destination string, client *oidc.Client,
|
||||||
|
userSession session.UserSession, rw http.ResponseWriter, r *http.Request, requester fosite.AuthorizeRequester) {
|
||||||
if client.IsAuthenticationLevelSufficient(userSession.AuthenticationLevel) {
|
if client.IsAuthenticationLevelSufficient(userSession.AuthenticationLevel) {
|
||||||
|
ctx.Logger.Debugf("Authorization Request with id '%s' on client with id '%s' authentication level '%s' is sufficient for client level '%s'", requester.GetID(), client.GetID(), authentication.LevelToString(userSession.AuthenticationLevel), authorization.LevelToPolicy(client.Policy))
|
||||||
|
|
||||||
destination = fmt.Sprintf("%s/consent", destination)
|
destination = fmt.Sprintf("%s/consent", destination)
|
||||||
|
} else {
|
||||||
|
ctx.Logger.Debugf("Authorization Request with id '%s' on client with id '%s' authentication level '%s' is insufficient for client level '%s'", requester.GetID(), client.GetID(), authentication.LevelToString(userSession.AuthenticationLevel), authorization.LevelToPolicy(client.Policy))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
ctx.Logger.Debugf("Authorization Request with id '%s' on client with id '%s' is being redirected to '%s'", requester.GetID(), client.GetID(), destination)
|
||||||
|
|
||||||
http.Redirect(rw, r, destination, http.StatusFound)
|
http.Redirect(rw, r, destination, http.StatusFound)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -41,6 +41,7 @@ func TestNewClient(t *testing.T) {
|
||||||
assert.Equal(t, fosite.ResponseModeFormPost, exampleClient.ResponseModes[1])
|
assert.Equal(t, fosite.ResponseModeFormPost, exampleClient.ResponseModes[1])
|
||||||
assert.Equal(t, fosite.ResponseModeQuery, exampleClient.ResponseModes[2])
|
assert.Equal(t, fosite.ResponseModeQuery, exampleClient.ResponseModes[2])
|
||||||
assert.Equal(t, fosite.ResponseModeFragment, exampleClient.ResponseModes[3])
|
assert.Equal(t, fosite.ResponseModeFragment, exampleClient.ResponseModes[3])
|
||||||
|
assert.Equal(t, authorization.TwoFactor, exampleClient.Policy)
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestIsAuthenticationLevelSufficient(t *testing.T) {
|
func TestIsAuthenticationLevelSufficient(t *testing.T) {
|
||||||
|
|
Loading…
Reference in New Issue
Block a user