Merge pull request #250 from dBucik/removeForceauthn

fix: 🐛 Remove forceAuthn for MFA

Author: Dominik František Bučík

perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml

@@ -569,6 +569,10 @@
     </bean>
 
     <bean id="samlEntryPoint" class="cz.muni.ics.oidc.saml.PerunSamlEntryPoint">
+        <constructor-arg name="config" ref="perunOidcConfig"/>
+        <constructor-arg name="facilityAttrsConfig" ref="facilityAttrsConfig"/>
+        <constructor-arg name="perunAdapter" ref="perunAdapter"/>
+        <constructor-arg name="samlProperties" ref="samlProperties"/>
         <property name="defaultProfileOptions" ref="webSSOProfileOptions"/>
     </bean>
 

perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunPostEncoder.java

@@ -6,14 +6,10 @@
 import org.opensaml.saml2.binding.encoding.HTTPPostEncoder;
 import org.opensaml.ws.message.MessageContext;
 import org.opensaml.ws.message.encoder.MessageEncodingException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 import org.springframework.util.StringUtils;
 
 public class PerunPostEncoder extends HTTPPostEncoder {
 
-    private static final Logger log = LoggerFactory.getLogger(PerunPostEncoder.class);
-
     public PerunPostEncoder(VelocityEngine engine, String templateId) {
         super(engine, templateId);
     }

perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlEntryPoint.java

@@ -7,7 +7,6 @@
 import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.IDP_ENTITY_ID_PREFIX;
 import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_CLIENT_ID;
 import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_PROMPT;
-import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.REFEDS_MFA;
 
 import cz.muni.ics.oidc.models.Facility;
 import cz.muni.ics.oidc.models.PerunAttributeValue;
@@ -33,7 +32,6 @@
 import org.opensaml.saml2.metadata.SPSSODescriptor;
 import org.opensaml.saml2.metadata.provider.MetadataProviderException;
 import org.opensaml.ws.message.encoder.MessageEncodingException;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.saml.SAMLConstants;
 import org.springframework.security.saml.SAMLEntryPoint;
@@ -50,7 +48,6 @@ public class PerunSamlEntryPoint extends SAMLEntryPoint {
     private final FacilityAttrsConfig facilityAttrsConfig;
     private final SamlProperties samlProperties;
 
-    @Autowired
     public PerunSamlEntryPoint(PerunAdapter perunAdapter,
                                PerunOidcConfig config,
                                FacilityAttrsConfig facilityAttrsConfig,
@@ -140,17 +137,9 @@ protected void initializeSSO(HttpServletRequest request, SAMLMessageContext cont
     private void addExtraParams(HttpServletRequest request, WebSSOProfileOptions options) {
         log.debug("Transforming OIDC params to SAML");
         processAcrValues(request, options);
-        processForceAuthn(request, options);
         processPrompt(request, options);
     }
 
-    private void processForceAuthn(HttpServletRequest request, WebSSOProfileOptions options) {
-        if (PerunSamlUtils.needsReAuthByForceAuthn(request)) {
-            log.debug("Transformed forceAuthn parameter to SAML forceAuthn=true");
-            options.setForceAuthN(true);
-        }
-    }
-
     private void processPrompt(HttpServletRequest request, WebSSOProfileOptions options) {
         if (PerunSamlUtils.needsReAuthByPrompt(request)) {
             log.debug("Transformed prompt parameter ({}) to SAML forceAuthn=true",
@@ -173,11 +162,6 @@ private void processAcrValues(HttpServletRequest request, WebSSOProfileOptions o
             }
         }
 
-        if (PerunSamlUtils.needsReAuthByMfa(request)) {
-            log.debug("ACRs include {}, added forceAuthn to proxy request", REFEDS_MFA);
-            options.setForceAuthN(true);
-        }
-
         if (StringUtils.hasText(request.getParameter(PARAM_CLIENT_ID)) && config.isAddClientIdToAcrs()) {
             String clientIdAcr = CLIENT_ID_PREFIX + request.getParameter(PARAM_CLIENT_ID);
             log.debug("Adding client_id ACR ({}) to list of AuthnContextClassRefs for purposes" +

perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlUtils.java

@@ -1,12 +1,9 @@
 package cz.muni.ics.oidc.saml;
 
-import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_ACR_VALUES;
-import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_FORCE_AUTHN;
 import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_PROMPT;
 import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PROMPT_LOGIN;
 import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PROMPT_SELECT_ACCOUNT;
 
-import cz.muni.ics.oidc.server.filters.AuthProcFilterConstants;
 import javax.servlet.ServletRequest;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.util.StringUtils;
@@ -22,19 +19,4 @@ public static boolean needsReAuthByPrompt(ServletRequest request) {
         return res;
     }
 
-    public static boolean needsReAuthByForceAuthn(ServletRequest request) {
-        String forceAuthn = request.getParameter(PARAM_FORCE_AUTHN);
-        boolean res = (StringUtils.hasText(forceAuthn) && Boolean.parseBoolean(forceAuthn));
-        log.debug("requires reAuth by forceAuthn - {}", res);
-        return res;
-    }
-
-    public static boolean needsReAuthByMfa(ServletRequest request) {
-        String acrValues = request.getParameter(PARAM_ACR_VALUES);
-        boolean res = StringUtils.hasText(acrValues)
-            && acrValues.contains(AuthProcFilterConstants.REFEDS_MFA);
-        log.debug("requires reAuth by MFA acr - {}", res);
-        return res;
-    }
-
 }