SURFscz · baszoetekouw · Jun 5, 2024 · May 21, 2024 · May 23, 2024
diff --git a/server/weblogin_daemon.py b/server/weblogin_daemon.py
@@ -42,6 +42,7 @@
 Session(app)
 
 oidc_enabled = config['oidc']['enabled']
+min_auth_level = config['oidc']['min_auth_level']
 
 if oidc_enabled:
     client_metadata = ClientMetadata(
@@ -245,6 +246,15 @@ def __login(session_id):
             message += f"{attribute_id} successfully authenticated<br>\n"
             message += f"Verification code: {code}<br><br>\n"
             message += "<i>This window may be closed</i>\n"
+            if min_auth_level != 0:
+                # Get access_token to introspect on for auth_level validation
+                access_token = authzn.valid_access_token()
+                introspection = authzn.clients['pam-weblogin']._token_introspection_request(access_token)
+                if 'auth_level' in introspection:
+                    if introspection['auth_level'] < min_auth_level:
+                        message = f"min_auth_level {introspection['auth_level']} less than {min_auth_level}. You need MFA"
+                else:
+                    logging.debug('auth_level missing from introspect request')
         else:
             message = f"user_id {user_id} not found\n"
     else:

diff --git a/server/weblogin_daemon.yml.example b/server/weblogin_daemon.yml.example
@@ -9,3 +9,4 @@ oidc:
   client_id: '<client>'
   client_secret: '<secret>'
   redirect_uri: 'https://<server>>/redirect_uri
+  min_auth_level: 0