fix(oxauth): re-authentication doesn't happen for OIDC authz request with the higher "level" acr requested anymore

[aliaksander-samuseu]

Describe the issue

When user already has session at oxAuth, if a new authz request arrives requesting for an auth method of a higher priority (represented by "Level" property of its person authentication script), they are not requested to re-login as it was done before, and just issued the tokens (SSO)

Preconditions

1. A basic OIDC client registration is created which can be used for authz code flow

Steps To Reproduce

1. On "Configuration" > "Manage Authentication" > "Default authentication method" page set oxTrust auth method to "basic" script
2. Make sure some other script with higher value of "Level" property is enabled ("passport_saml" is good candidate)
3. In a new incognito window, login to oxTrust at this Gluu Server
4. In the same incognito window, put next url into address bar and hit "Enter" (use your own values for hostname, redirect_uri and client_id): https://your.gluu.server/oxauth/restv1/authorize?response_type=code&scope=openid+email+address+profile+username+cognizant+offline_access&client_id=XXXX-XXXX-XXXX&state=hVCBnAfO546jV6IBzdHowr80UjI&redirect_uri=https://some.host/some/redirect_uri&nonce=6RLUGm0O6EO63oqleJIu8rET4wuicTRXFVQySSxRkoo&acr_values=passport_saml

Expected behavior

User is presented with login page at step 4, as "passport_saml" auth method has greater "level" than "basic"

Actual behavior

User is sent back to redirect_uri with the authz code. Attached are oxauth.log and HAR file taken during the step 4 in my test setup.
acr_values_relogin.zip

[yuriyz]

@aliaksander-samuseu I'm not able to reproduce this issue.

I've installed latest 4.5.2 here https://yuriyz-dominant-ape.gluu.info/.well-known/openid-configuration
(please find pem in bot chat if you need ssh)

First I've hit simple_password_auth which has level 0

1. https://yuriyz-dominant-ape.gluu.info/oxauth/restv1/authorize?client_id=1001.5d97240f-3fd8-4ec7-8f90-57cd7405d924&redirect_uri=https%3A%2F%2Fyuriyz-dominant-ape.gluu.info%2Fidentity%2Fauthcode.htm&response_type=code&scope=openid+profile+email+user_name&nonce=29effc4d-99e9-42cf-8352-f1d969007d5a&state=5aee1e16-1956-4d18-be54-602ab9259170&acr_values=simple_password_auth
2. After login I've hit authorization endpoint with basic which has level 10 (higher)
   https://yuriyz-dominant-ape.gluu.info/oxauth/restv1/authorize?client_id=1001.5d97240f-3fd8-4ec7-8f90-57cd7405d924&redirect_uri=https%3A%2F%2Fyuriyz-dominant-ape.gluu.info%2Fidentity%2Fauthcode.htm&response_type=code&scope=openid+profile+email+user_name&nonce=29effc4d-99e9-42cf-8352-f1d969007d5a&state=5aee1e16-1956-4d18-be54-602ab9259170&acr_values=basic

Login screen appears which is exactly what we expect. Can you give steps on that VM to reproduce issue ?

[yuriyz]

Closing as not reproducible. @aliaksander-samuseu please re-open if you will be able to reproduce on VM above.

[aliaksander-samuseu]

Hi, @yuriyz
Sorry for not answering earlier, I missed the notification in my box. I've got access to the Gluu Server instance you deployed (could you make sure it will stay for a bit longer, in case we need to test it further), and was able to reproduce the issue.

Here is what I did:

1. Set "basic" as default oxTrust auth method on "Manage authentication" page
2. Enabled "yubicloud" person auth script
3. Opened incognito window in Chrome
4. Followed https://yuriyz-dominant-ape.gluu.info url - as "basic" is set as default method, in trace you may see how at some point oxAuth adds "acr_values=basic" to authz request; login as requested (session is created at that point)
5. Use the second url you provided above, only changing "acr_values" parameter to "yubicloud" value (has level 40, while basic is 10)

No login page for me at step 5, it immediately sends me back to oxTrust with the code

[yuriyz]

@aliaksander-samuseu issue is fixed in 4.5.3 and master. I've updated VM. Would you please test it and confirm all is good ?

[yuriyz]

Closing as fixed.