Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Step Up Authentication and infinite redirect Loops #1321

Unanswered
singhmann1 asked this question in Q&A
Discussion options

We have implemented stepup authentication using acr_values referring to the page located at https://github.com/OpenIDC/mod_auth_openidc/wiki/Step-up-Authentication

We have the following setup on Apache:

<Location /admin>
AuthType openid-connect
<RequireAll>
Require valid-user
Require claim acr:2
Require claim group:admins_group
</RequireAll>
OIDCUnAutzAction auth
OIDCPathAuthRequestParams acr_values=2
</Location>

When the user accesses the application context /admin they are redirected to the IDP for authentication, after successful authentication the user is redirected back to this application where the claims are validated. If the acr claim is set to 2 and the group claims is set to admins_group the user is able to access the application successfully.

However if the user has authenticated with acr claim of 2 but does not have the claim of group set to admins_group then they are redirected to the IDP Authorise endpoint for authentication. Because the user has already authenticated they are redirected back to the end application which then does the authorisation checks, here we are hitting an infinite looping problem.

Can we detect this condition and return the user to an access denied page or back to the IDP for authentication with an additional login parameter to force the IDP to redirect the user to the login page?
You must be logged in to vote

Replies: 1 comment 3 replies

Comment options

you must use a OIDCPathAuthRequestParams such that the OP is forced to release group:admins_group in addition to the acr value; perhaps through the claims parameter or any other parameter that will ask the OP to requre group:admins_group ; scope is usually a good option for that
You must be logged in to vote
3 replies
Comment options

Hi,
I didn't quite follow the changes that I need. The admins_group is only added to the claim group in the ID token if the user has admins_group. The OP will set this in the authorise end point call.
I am currently using the OIDCPathAuthRequestParams to append acr_values of 2 in the request if the authorisation fails to redirect the user back to the OP.

If I understand correctly do I need to set the following in the OIDCPathAuthRequestParams parameter:
OIDCAuthRequestParams acr_values=2 claim=admins_group

Then the Oauthprovider in the auth flow should validate the acr is 2 as well as the claim admins_group is satisfied before redirecting back to this application?
Comment options

yes
Comment options

hi

Does step up authentication as implemented above support OIDCSessionType set to client-cookie or only server-cache, or doesn't it matter what OIDCSessionType is set?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
None yet

AltStyle によって変換されたページ (->オリジナル) /