Skip to content

Add a flag to not allow a strict IAL2 user to redirect without phone proofing#6270

Merged
jmhooper merged 7 commits intomainfrom
jmhooper-no-strict-ial2-gpo-letter-redirect
Apr 29, 2022
Merged

Add a flag to not allow a strict IAL2 user to redirect without phone proofing#6270
jmhooper merged 7 commits intomainfrom
jmhooper-no-strict-ial2-gpo-letter-redirect

Conversation

@jmhooper
Copy link
Contributor

@jmhooper jmhooper commented Apr 28, 2022

We may need to make a change in the future to require strict IAL2 users to proof with phone. This commit does some work towards making that possible. It makes changes to the authorization controller to prevent a user from being redirected at strict IAL2 unless they have proofed with phone. This change is flagged off at the moment.

This change is not totally complete, there are changes that will need to go in place to remove the option during proofing.

@jmhooper
Add a flag to not allow a strict IAL2 user to redirect without phone …
91e25c3 
…proofing

We may need to make a change in the future to require strict IAL2 users to proof with phone. This commit does some work towards making that possible. It makes changes to the authorization controller to prevent a user from being redirected at strict IAL2 unless they have proofed with phone.

This change is not totally complete, there are changes that will need to go in place to remove the option during proofing.

changelog: Upcoming feature, Proofing, A user will need to proof with a phone before being sent back to the IdP for strict IAL2 proofing
aduth
aduth reviewed Apr 28, 2022
View reviewed changes
app/controllers/openid_connect/authorization_controller.rb
identity_needs_strict_ial2_verification?
end

def identity_needs_strict_ial2_verification?
Copy link
Contributor

@aduth aduth Apr 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As I've recently discovered (LG-6217), we're already not very consistent, but: Should we have equivalent logic for SAML as well?

Copy link
Contributor Author

@jmhooper jmhooper Apr 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, however we don't support strict IAL2 in SAML today. I was going to figure out what it all looks like before moving it over

Copy link
Contributor

@aduth aduth Apr 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm, now I'm wondering if the changes in #6253 shouldn't have been implemented, then? I seem to recall there were some failing specs that it was resolving from #6229, as if we had specs running through a SAML + IAL2Strict scenario.

Copy link
Contributor Author

@jmhooper jmhooper Apr 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting, I did not think SAML supported it at all. You may have jumped ahead of me a bit. Fortunately IAL2 strict is disabled in all the places that matter.

jmhooper
jmhooper commented Apr 28, 2022
View reviewed changes
app/models/profile.rb
proofing_components['address_check'] == 'lexis_nexis_address'
end

def strict_ial2_proofed?
Copy link
Contributor Author

@jmhooper jmhooper Apr 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would like to get includes_liveness_check? and includes_phone_check? out of the public API for the model eventually. First need to chase down all of the existing uses of includes_liveness_check?

aduth
aduth approved these changes Apr 28, 2022
View reviewed changes
Copy link
Contributor

@aduth aduth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@jmhooper jmhooper merged commit 9ee8ee4 into main Apr 29, 2022
@jmhooper jmhooper deleted the jmhooper-no-strict-ial2-gpo-letter-redirect branch April 29, 2022 15:56
peggles2 pushed a commit that referenced this pull request May 3, 2022
@jmhooper @peggles2
Add a flag to not allow a strict IAL2 user to redirect without phone …
0c84336 
…proofing (#6270)

We may need to make a change in the future to require strict IAL2 users to proof with phone. This commit does some work towards making that possible. It makes changes to the authorization controller to prevent a user from being redirected at strict IAL2 unless they have proofed with phone.

This change is not totally complete, there are changes that will need to go in place to remove the option during proofing.

changelog: Upcoming feature, Proofing, A user will need to proof with a phone before being sent back to the IdP for strict IAL2 proofing
peggles2 pushed a commit that referenced this pull request May 5, 2022
@jmhooper @peggles2
Add a flag to not allow a strict IAL2 user to redirect without phone …
793091c 
…proofing (#6270)

We may need to make a change in the future to require strict IAL2 users to proof with phone. This commit does some work towards making that possible. It makes changes to the authorization controller to prevent a user from being redirected at strict IAL2 unless they have proofed with phone.

This change is not totally complete, there are changes that will need to go in place to remove the option during proofing.

changelog: Upcoming feature, Proofing, A user will need to proof with a phone before being sent back to the IdP for strict IAL2 proofing
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@aduth aduth aduth approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jmhooper @aduth