feat: acr can be used to force identity with IAL=2

Author: rdubigny

.github/workflows/end-to-end.yml

@@ -50,6 +50,7 @@ jobs:
           - signin_from_standard_client
           - signin_with_email_verification_renewal
           - signin_with_magic_link
+          - signin_with_right_acr
           - signin_with_totp
           - signup_entreprise_unipersonnelle
           - update_personal_information
@@ -95,6 +96,19 @@ jobs:
           MCP_PROVIDER: ${{ env.MONCOMPTEPRO_HOST }}
           MCP_SCOPES: openid email profile phone organizations
           STYLESHEET_URL: ""
+      moncomptepro-acr-client:
+        image: ghcr.io/numerique-gouv/moncomptepro-test-client
+        ports:
+          - 4003:3000
+        env:
+          SITE_TITLE: moncomptepro-acr-client
+          HOST: http://localhost:4003
+          MCP_CLIENT_ID: acr_client_id
+          MCP_CLIENT_SECRET: acr_client_secret
+          MCP_PROVIDER: ${{ env.MONCOMPTEPRO_HOST }}
+          MCP_SCOPES: openid email profile organization
+          ACR_VALUE_FOR_2FA: urn:dinum:ac:classes:consistency-checked
+          STYLESHEET_URL: ""
       redis:
         image: redis:7.2
         ports:

README.md

@@ -155,14 +155,21 @@ d’usurpations d’identités liés aux attaques par _phishing_ par exemple.
 
 Vous pouvez tester la cinématique via le lien suivant : https://test.moncomptepro.beta.gouv.fr/#force-2fa
 
-Pour ce faire, vous devez passer les paramètres `claims={"id_token":{"acr":{"essential":true,value:"https://refeds.org/profile/mfa"}}}` comme suit :
+Pour ce faire, vous devez passer les paramètres `claims={"id_token":{"acr":{"essential":true,value:"urn:dinum:ac:classes:consistency-checked-2fa"}}}` comme suit :
 
 https://app-sandbox.moncomptepro.beta.gouv.fr/oauth/authorize?client_id=client_id&scope=openid%20email%20profile%20organization&response_type=code&redirect_uri=https%3A%2F%2Ftest.moncomptepro.beta.gouv.fr%2Flogin-callback&claims=%7B%22id_token%22%3A%7B%22acr%22%3A%7B%22essential%22%3Atrue%2C%22value%22%3A%22https%3A%2F%2Frefeds.org%2Fprofile%2Fmfa%22%7D%7D%7D
 
 Les valeurs `acr` utilisées par ProConnect Identité sont les suivantes :
 
-- `eidas1` authentification simple facteur avec une identité de niveau faible.
-- `https://refeds.org/profile/mfa` authentification par double facteur sans preuve d’identité particulière.
+- `eidas1` authentification simple facteur avec une identité de niveau faible ;
+- `urn:dinum:ac:classes:self-asserted` : identité déclarative ;
+- `urn:dinum:ac:classes:self-asserted-2fa` : identité déclarative ;
+- `urn:dinum:ac:classes:consistency-checked` : identité déclarative + un des tests de cohérence suivant :
+  - contrôle du référencement du nom de domaine
+  - code à usage unique envoyé par courrier postal au siège social
+  - code à usage unique envoyé par email à l'adresse de contact référencée dans un annuaire de référence
+  - identité du dirigeant d'association conforme
+- `urn:dinum:ac:classes:consistency-checked-2fa` : `urn:dinum:ac:classes:consistency-checked` + authentification à double facteur
 
 ## 3. 👋 Contribuer à ProConnect Identité
 

cypress/e2e/signin_with_right_acr/env.conf

@@ -0,0 +1 @@
+DO_NOT_SEND_MAIL="True"

cypress/e2e/signin_with_right_acr/fixtures.sql

@@ -0,0 +1,57 @@
+INSERT INTO users
+(id, email, email_verified, email_verified_at, encrypted_password, created_at, updated_at,
+ given_name, family_name, phone_number, job, encrypted_totp_key, totp_key_verified_at, force_2fa)
+VALUES
+  (1, 'ial2-aal2@yopmail.com', true, CURRENT_TIMESTAMP,
+   '$2a$10$kzY3LINL6..50Fy9shWCcuNlRfYq0ft5lS.KCcJ5PzrhlWfKK4NIO', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP,
+   'Jean', 'IAL2 AAL2', '0123456789', 'Sbire',
+   'kuOSXGk68H2B3pYnph0uyXAHrmpbWaWyX/iX49xVaUc=.VMPBZSO+eAng7mjS.cI2kRY9rwhXchcKiiaMZIg==',
+   CURRENT_TIMESTAMP, false
+  ),
+  (2, 'ial1-aal2@yopmail.com', true, CURRENT_TIMESTAMP,
+   '$2a$10$kzY3LINL6..50Fy9shWCcuNlRfYq0ft5lS.KCcJ5PzrhlWfKK4NIO', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP,
+   'Jean', 'IAL1 AAL2', '0123456789', 'Sbire',
+   'kuOSXGk68H2B3pYnph0uyXAHrmpbWaWyX/iX49xVaUc=.VMPBZSO+eAng7mjS.cI2kRY9rwhXchcKiiaMZIg==',
+   CURRENT_TIMESTAMP, false
+  ),
+  (3, 'ial2-aal1@yopmail.com', true, CURRENT_TIMESTAMP,
+   '$2a$10$kzY3LINL6..50Fy9shWCcuNlRfYq0ft5lS.KCcJ5PzrhlWfKK4NIO', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP,
+   'Jean', 'IAL2 AAL1', '0123456789', 'Sbire',
+   null, null, false),
+  (4, 'ial1-aal1@yopmail.com', true, CURRENT_TIMESTAMP,
+   '$2a$10$kzY3LINL6..50Fy9shWCcuNlRfYq0ft5lS.KCcJ5PzrhlWfKK4NIO', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP,
+   'Jean', 'IAL1 AAL1', '0123456789', 'Sbire',
+   null, null, false);
+
+INSERT INTO organizations
+  (id, siret, created_at, updated_at)
+VALUES
+  (1, '21340126800130', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP);
+
+INSERT INTO users_organizations
+  (user_id, organization_id, is_external, verification_type, has_been_greeted)
+VALUES
+  (1, 1, false, 'domain', true),
+  (2, 1, false, null, true),
+  (3, 1, false, 'domain', true),
+  (4, 1, false, null, true);
+
+INSERT INTO oidc_clients
+  (client_name, client_id, client_secret, redirect_uris,
+   post_logout_redirect_uris, scope, client_uri, client_description,
+   userinfo_signed_response_alg, id_token_signed_response_alg,
+   authorization_signed_response_alg, introspection_signed_response_alg)
+VALUES
+  ('Oidc Test Client',
+   'acr_client_id',
+   'acr_client_secret',
+   ARRAY [
+     'http://localhost:4003/login-callback'
+     ],
+   ARRAY [
+     'http://localhost:4003/'
+     ],
+   'openid email profile organization',
+   'http://localhost:4003/',
+   'MonComptePro test client. More info: https://github.com/numerique-gouv/moncomptepro-test-client.',
+   null, 'RS256', null, null);

cypress/e2e/signin_with_right_acr/index.cy.ts

@@ -0,0 +1,31 @@
+//
+
+describe("sign-in with a client requiring consistency-checked identity", () => {
+  it("should sign-in an return the right acr value", function () {
+    cy.visit("http://localhost:4003");
+    cy.get("button#force-2fa").click();
+
+    cy.login("ial2-aal1@yopmail.com");
+
+    cy.contains('"acr": "urn:dinum:ac:classes:consistency-checked"');
+  });
+  it("should return an error with ial1", function () {
+    cy.visit("http://localhost:4003");
+    cy.get("button#force-2fa").click();
+
+    cy.login("ial1-aal1@yopmail.com");
+
+    cy.contains("access_denied (none of the requested ACRs could be obtained)");
+  });
+
+  // TODO add tests:
+  // - log with a client requiring consistency-checked and consistency-checked-mfa
+  //   - with a consistency checked user and MFA => see the right acr returned
+  //   - with a self-asserted user and MFA => see an error
+  // - log with a client not requiring any acr
+  //   - with a self-asserted user => see acr self-asserted
+  //   - with a consistency checked user => see acr consistency-checked
+  // - log with acr_values=eidas1 and ENABLE_FIXED_ACR=True
+  //   - with all type of acr => see the right acr
+  // these tests required the mcp-test-client to be modifiable like fc-mock
+});

cypress/e2e/signin_with_totp/index.cy.ts

@@ -14,7 +14,9 @@ describe("sign-in with TOTP on untrusted browser", () => {
 
     cy.login("unused2@yopmail.com");
 
-    cy.contains("Vérifier votre email");
+    // TODO get browser enrollment code
+
+    cy.contains("moncomptepro-standard-client");
   });
 
   it("should sign-in with password and TOTP when forced by SP", function () {
@@ -26,6 +28,25 @@ describe("sign-in with TOTP on untrusted browser", () => {
     cy.contains('"amr": [\n    "pwd",\n    "totp",\n    "mfa"\n  ],');
   });
 
+  it("should only show totp step when already logged", function () {
+    cy.visit("http://localhost:4000");
+    cy.get("button.proconnect-button").click();
+
+    cy.login("unused2@yopmail.com");
+
+    // TODO get browser enrollment code
+
+    cy.contains("moncomptepro-standard-client");
+
+    cy.get("button#force-2fa").click();
+
+    cy.contains("merci de valider votre deuxième étape de connexion");
+
+    cy.fillTotpFields();
+
+    cy.contains('"amr": [\n    "pwd",\n    "totp",\n    "mfa"\n  ],');
+  });
+
   it("should trigger totp rate limiting", function () {
     cy.visit("/users/start-sign-in");
 

docker-compose.yml

@@ -67,6 +67,20 @@ services:
       STYLESHEET_URL:
     network_mode: "host"
 
+  moncomptepro-acr-client:
+    image: ghcr.io/numerique-gouv/moncomptepro-test-client
+    environment:
+      PORT: 4003
+      SITE_TITLE: moncomptepro-acr-client
+      HOST: http://localhost:4003
+      MCP_CLIENT_ID: acr_client_id
+      MCP_CLIENT_SECRET: acr_client_secret
+      MCP_PROVIDER: http://localhost:3000
+      MCP_SCOPES: openid email profile organization
+      ACR_VALUE_FOR_2FA: urn:dinum:ac:classes:consistency-checked
+      STYLESHEET_URL:
+    network_mode: "host"
+
   maildev:
     image: soulteary/maildev
     network_mode: "host"

src/config/env.ts

@@ -28,6 +28,10 @@ export const {
   ACCESS_LOG_PATH,
   API_AUTH_PASSWORD,
   API_AUTH_USERNAME,
+  ACR_VALUE_FOR_IAL1_AAL1,
+  ACR_VALUE_FOR_IAL1_AAL2,
+  ACR_VALUE_FOR_IAL2_AAL1,
+  ACR_VALUE_FOR_IAL2_AAL2,
   BREVO_API_KEY,
   CRISP_BASE_URL,
   CRISP_IDENTIFIER,

src/config/env.zod.ts

@@ -52,6 +52,18 @@ export const secretEnvSchema = z.object({
 
 export const paramsEnvSchema = z.object({
   ACCESS_LOG_PATH: z.string().optional(),
+  ACR_VALUE_FOR_IAL1_AAL1: z
+    .string()
+    .default("urn:dinum:ac:classes:self-asserted"),
+  ACR_VALUE_FOR_IAL1_AAL2: z
+    .string()
+    .default("urn:dinum:ac:classes:self-asserted-2fa"),
+  ACR_VALUE_FOR_IAL2_AAL1: z
+    .string()
+    .default("urn:dinum:ac:classes:consistency-checked"),
+  ACR_VALUE_FOR_IAL2_AAL2: z
+    .string()
+    .default("urn:dinum:ac:classes:consistency-checked-2fa"),
   DEPLOY_ENV: z.enum(["preview", "production", "sandbox"]).default("preview"),
   DIRTY_DS_REDIRECTION_URL: z
     .string()

src/config/oidc-provider-configuration.ts

@@ -5,6 +5,12 @@ import epochTime from "../services/epoch-time";
 import { findAccount } from "../services/oidc-account-adapter";
 import policy from "../services/oidc-policy";
 import { renderWithEjsLayout } from "../services/renderer";
+import {
+  ACR_VALUE_FOR_IAL1_AAL1,
+  ACR_VALUE_FOR_IAL1_AAL2,
+  ACR_VALUE_FOR_IAL2_AAL1,
+  ACR_VALUE_FOR_IAL2_AAL2,
+} from "./env";
 
 //
 
@@ -13,7 +19,13 @@ export const oidcProviderConfiguration = ({
   shortTokenTtlInSeconds = 10 * 60,
   tokenTtlInSeconds = 60 * 60,
 }): Configuration => ({
-  acrValues: ["eidas1", "https://refeds.org/profile/mfa"],
+  acrValues: [
+    "eidas1",
+    ACR_VALUE_FOR_IAL1_AAL1,
+    ACR_VALUE_FOR_IAL1_AAL2,
+    ACR_VALUE_FOR_IAL2_AAL1,
+    ACR_VALUE_FOR_IAL2_AAL2,
+  ],
   claims: {
     amr: null,
     // claims definitions can be found here: https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims