Step Up Authentication and infinite redirect Loops

[singhmann1]

We have implemented stepup authentication using acr_values referring to the page located at https://github.com/OpenIDC/mod_auth_openidc/wiki/Step-up-Authentication

We have the following setup on Apache:

<Location /admin>
AuthType openid-connect
<RequireAll>
Require valid-user
Require claim acr:2
Require claim group:admins_group
</RequireAll>
OIDCUnAutzAction auth
OIDCPathAuthRequestParams acr_values=2
</Location>

When the user accesses the application context /admin they are redirected to the IDP for authentication, after successful authentication the user is redirected back to this application where the claims are validated. If the acr claim is set to 2 and the group claims is set to admins_group the user is able to access the application successfully.

However if the user has authenticated with acr claim of 2 but does not have the claim of group set to admins_group then they are redirected to the IDP Authorise endpoint for authentication. Because the user has already authenticated they are redirected back to the end application which then does the authorisation checks, here we are hitting an infinite looping problem.

Can we detect this condition and return the user to an access denied page or back to the IDP for authentication with an additional login parameter to force the IDP to redirect the user to the login page?

[zandbelt]

you must use a OIDCPathAuthRequestParams such that the OP is forced to release group:admins_group in addition to the acr value; perhaps through the claims parameter or any other parameter that will ask the OP to requre group:admins_group ; scope is usually a good option for that

[singhmann1]

Hi,
I didn't quite follow the changes that I need. The admins_group is only added to the claim group in the ID token if the user has admins_group. The OP will set this in the authorise end point call.
I am currently using the OIDCPathAuthRequestParams to append acr_values of 2 in the request if the authorisation fails to redirect the user back to the OP.

If I understand correctly do I need to set the following in the OIDCPathAuthRequestParams parameter:
OIDCAuthRequestParams acr_values=2 claim=admins_group

Then the Oauthprovider in the auth flow should validate the acr is 2 as well as the claim admins_group is satisfied before redirecting back to this application?

[zandbelt]

yes

[singhmann1]

hi

Does step up authentication as implemented above support OIDCSessionType set to client-cookie or only server-cache, or doesn't it matter what OIDCSessionType is set?