[ CDM-243 ] [ CDM-245 ] Orcid Provider MFA Support & Token response mfaAuthenticated key
#471
Conversation
|
|
||
| @Override | ||
| public int hashCode() { | ||
| final int prime = 31; | ||
| int result = 1; | ||
| result = prime * result + ((email == null) ? 0 : email.hashCode()); | ||
| result = prime * result + ((fullname == null) ? 0 : fullname.hashCode()); | ||
| result = prime * result + ((mfaAuthenticated == null) ? 0 : mfaAuthenticated.hashCode()); |
There was a problem hiding this comment.
Not sure this is right, as it is a boolean.
There was a problem hiding this comment.
(though it seems to be working)
src/main/java/us/kbase/auth2/providers/OrcIDIdentityProviderFactory.java
Show resolved
Hide resolved
This comment has been minimized.
This comment has been minimized.
Update tests to handle MFA field additions and ORCID OpenID Connect changes: - Fix hash codes in RemoteIdentityTest for new MFA field - Update ORCID provider tests for openid scope instead of /authenticate - Add mfaAuthenticated field to API response expectations - Fix non-ORCID provider test to use null MFA status - Update identity ordering in user endpoint tests
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## develop #471 +/- ##
=============================================
+ Coverage 93.37% 93.40% +0.03%
- Complexity 2151 2168 +17
=============================================
Files 126 126
Lines 7558 7623 +65
Branches 1184 1202 +18
=============================================
+ Hits 7057 7120 +63
Misses 458 458
- Partials 43 45 +2 🚀 New features to boost your workflow:
|
dauglyon
changed the title
mfaAuthenticated key
dauglyon
changed the title
mfaAuthenticated keymfaAuthenticated key
Move MFA status from being computed from user identities to being stored as a boolean field on tokens themselves. This provides per-token MFA tracking and eliminates the need for complex identity lookups.
src/main/java/us/kbase/auth2/providers/OrcIDIdentityProviderFactory.java
Outdated
Show resolved
Hide resolved
dauglyon
force-pushed
the
MFAStatus
branch
2 times, most recently
from
52f871c to
3d9e93e
Compare
There was a problem hiding this comment.
Seems to be some stochasticity in these tests, as I had to change the order. I haven't identified a change I made that would cause this directly. Seen in src/test/resources/us/kbase/test/auth2/service/ui/MeTest_getMeMaximalInput.testdata, src/test/java/us/kbase/test/auth2/service/ui/MeTest.java, src/test/java/us/kbase/test/auth2/service/api/UserEndpointTest.java
| */ | ||
| private Boolean parseAmrClaim(final String idToken) { | ||
| if (idToken == null || idToken.trim().isEmpty()) { | ||
| return null; |
There was a problem hiding this comment.
If the token is expected this should throw an error
There was a problem hiding this comment.
This was throwing in tests, but I think fixed those tests, so I bet I can remove this check now
There was a problem hiding this comment.
I'm going to keep this check so we don't get runtime errors if ORCID fails to return a JWT, but I am going to log that as happening. The user will see their MFA status as unknown, but the flow won't fail. If the JWT is malformed, however, I am going to throw.
There was a problem hiding this comment.
Unless there's a documented reason oid wouldn't return a token when we've asked for one, this should fail IMO. Don't code for circumstances that can't happen, just fail
There was a problem hiding this comment.
The circumstance would be "they change our oAuth scope access" (eg decide to remove our member API access) which can happen without any change on our end. Trying to be a bit defensive. Seems we shouldn't prevent all orcid logins in that case. But if we're ok with that, I can throw here too
ALSO if we throw here, all auth2 deploys will REQUIRE orcid member api access
There was a problem hiding this comment.
Ok. How about a 4th enum value for this case to distinguish it from the provider doesn't support it at all?
There was a problem hiding this comment.
Actually - does changing the scope mean that other auth installs will fail if they don't have member api access?
There was a problem hiding this comment.
I'm going to actually have to double check the api on this; it looks like the docs say conflicting things (you need member api to see the jwt claims, but that the openid scope is available on the public api and it's only purpose is to return the jwt) or it's possible it will return two completely different jwts depending on scope or api access... anyway I will check
src/main/java/us/kbase/auth2/providers/OrcIDIdentityProviderFactory.java
Outdated
Show resolved
Hide resolved
src/main/java/us/kbase/auth2/lib/identity/RemoteIdentityDetails.java
Outdated
Show resolved
Hide resolved
Adds MFA boolean to RemoteIdentity and StoredToken classes, which get stored in Mongo. Adds JWT parsing to extract the AMR claim from the Orcid login token during login. Modifies the token to include MFA status.
A nice summary of all the changes from claude:
Key Changes
Core Implementation:
mfafield to StoredToken (stored as mfa in MongoDB)ORCID Provider Enhancement:
Authentication Flow:
API Response
The /api/V2/token endpoint now returns
mfawith tri-state semantics:USED: User authenticated with MFA during token creation (e.g. Orcid with MFA)NOT_USED: User explicitly chose not to use MFA when available (e.g. Orcid without MFA)UNKNOWN: MFA status unknown or not applicable to authentication method (e.g. Google (mfa inspection not supported), or a dev token)Database Schema