Skip to content

Support to enforce LoA in authentication flow (Step-up)#16897

Closed
sventorben wants to merge 2 commits intokeycloak:mainfrom
sventorben:gh-16884
Closed

Support to enforce LoA in authentication flow (Step-up)#16897
sventorben wants to merge 2 commits intokeycloak:mainfrom
sventorben:gh-16884

Conversation

@sventorben
Copy link
Copy Markdown
Contributor

@sventorben sventorben commented Feb 7, 2023

Please see #16884 for details.

Closes #16884

@sventorben sventorben requested a review from a team as a code owner February 7, 2023 17:34
pedroigor
pedroigor reviewed Feb 13, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@pedroigor pedroigor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sventorben Nice one :)

Test failures are related and seem related to changes in the number of built-in providers.

@sventorben sventorben requested review from a team as code owners February 14, 2023 17:58
@sventorben sventorben requested a review from a team February 14, 2023 17:58
@sventorben
Copy link
Copy Markdown
Contributor Author

sventorben commented Feb 15, 2023

Thanks @pedroigor!

I fixed the test cases. Anything else this would need?

@pedroigor
Copy link
Copy Markdown
Contributor

pedroigor commented Feb 15, 2023

@sventorben Thanks. We need to provide a test for it.

@mposolda May I ask you to continue reviewing and help with tests?

mposolda
mposolda requested changes Feb 16, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@mposolda mposolda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sventorben Thanks for the PR. I've added one minor note inline. Besides that:

  • I vote against ConditionalClientIdAuthenticator. It doesn't scale as realms can have thousands of clients. We already discussed (and rejected) this idea some time ago during the work on "client policies". The idea is to instead use some other ways to make sure that particular client matches the condition. For example it can be "marker" client role added to client or some kind of "marker" client scope.

This also allows that "client administrator" is not forced to contact "global realm administrator" to update authentication flow always when client wants to "enforce loa".

  • Regarding ForceLoAAuthenticator, I would also prefer this to be rather "client policy executor" instead of "Authenticator". This will allow to re-use all existing conditions provided by current client policies instead of add new dedicated condition implementation to the authentication flow.

I see the possible issue that authenticationSession is not available when AUTHORIZATION_REQUEST client policy is triggered (on AuthorizationEndpoint - line 202). However hopefully this can be mitigated by either:

  1. rewrite claims parameter and add enforced level to "essential" claims (if bigger than already provided in claims parameter)
  2. add some contextData<String, Object> map to AuthorizationEndpointRequest . Client policy executor can set some attribute to it like MIN_ENFORCED_LOA_LEVEL. Then AuthorizationEndpoint (part of the codebase where Loa is parsed) can consume this.
  3. add dedicated client policy event type like POST_AUTHORIZATION_REQUEST, which can be triggered after authenticationSession is parsed and available.

I think (2) is my favourite right now, but any of those works (whatever you find easiest).

  • Tests are possible in LevelOfAssuranceFlowTest to test step-up. Tests for client policies are in package org.keycloak.testsuite.client.policies - for inspiration how to setup client policies (if we go this path).

Comment thread .../src/main/java/org/keycloak/authentication/authenticators/browser/ForceLoAAuthenticator.java
}
for (String configuredAcr : defaultAcrValues) {
int loa;
if (acrToLoaMap.containsKey(configuredAcr)) {
Copy link
Copy Markdown
Contributor

@mposolda mposolda Feb 16, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor: Is it possible to add util method to AcrUtils like:

Integer getMappedLoad(String loa, Map<String, Integer> acrLoaMap);

and make the code in lines 50-59 to use that util method? For that case, it will be also good to update method AcrUtils.mapLoaToAcr (lines around 132-141) to use your new method. Just trying to avoid using same/similar logic on multiple places around codebase.

Copy link
Copy Markdown
Contributor Author

@sventorben sventorben Feb 17, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, sure. Will do.

@sventorben
Copy link
Copy Markdown
Contributor Author

sventorben commented Feb 17, 2023

@mposolda
Using a client policy executor instead of an authenticator will not work for SAML clients, right?
At least I cannot find any client policy checks in the SamlEndpoint. Am I missing something?

Regarding the usage of a "marker" client role or "marker" client scope, there is a ClientScopesCondition and ClientRolesCondition for use with client policies. But is there any condition supported within flows (like an authenticator)?

@mposolda
Copy link
Copy Markdown
Contributor

mposolda commented Feb 20, 2023
edited
Loading

@mposolda Using a client policy executor instead of an authenticator will not work for SAML clients, right? At least I cannot find any client policy checks in the SamlEndpoint. Am I missing something?

Yes, true. I think the SAML clients were not yet used with client policies. But if you need SAML, you can possibly add some "execution point" somewhere to the SamlEndpoint (right before authentication is triggered). I think that some conditions like for example ClientRolesCondition or ClientScopesCondition should work for SAML clients as well. @tnorimat WDYT? Do you see any reason or potential limitation why it would be an issue to have client policies triggered for SAML clients?

Regarding the usage of a "marker" client role or "marker" client scope, there is a ClientScopesCondition and ClientRolesCondition for use with client policies. But is there any condition supported within flows (like an authenticator)?

@sventorben Nope, it is not right now. That's also one of the reasons why I am more towards the "Client Policies" path, because the conditions are already available here. So only new thing needed here is the implementation of the executor though.

@mrpatrickpilch
Copy link
Copy Markdown

mrpatrickpilch commented Mar 7, 2023

@mposolda I have a use case in which this being an authenticator came in handy. I wanted to force an LoA after the "selected user" was determined (such as after a username/password form being completed) in an authentication flow. Not sure if I have access to user attributes/metadata in a client policy.

@sventorben
Copy link
Copy Markdown
Contributor Author

sventorben commented Mar 14, 2023

@mposolda Thanks for your reply. I added commit 75689bf to this PR.
Would you mind taking a quick look at this just to check if I am going into the right direction here?

@mposolda
Copy link
Copy Markdown
Contributor

mposolda commented Oct 21, 2024

@sventorben Thanks for the PR and sorry for the late feedback.

In the end, we ended with the approach of #33205 . If it doesn't met your needs, feel free to create a follow-up issue if needed.

@mposolda mposolda closed this Oct 21, 2024
@mposolda mposolda self-assigned this Oct 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pedroigor pedroigor pedroigor left review comments

@mposolda mposolda mposolda requested changes

Assignees

@mposolda mposolda

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support to enforce LoA in authentication flow for a client (Step-up)

4 participants

@sventorben @pedroigor @mposolda @mrpatrickpilch