feat: [OCISDEV-249] add acr verification to admin settings

Add a check to the admin settings app to verify the ACR value.
If the ACR value is not the one required, the user is redirected to the login page.

Author: LukasHirt

dev/docker/ocis.web.config.json

@@ -5,7 +5,8 @@
     "metadata_url": "https://host.docker.internal:9200/.well-known/openid-configuration",
     "authority": "https://host.docker.internal:9200",
     "client_id": "web",
-    "response_type": "code"
+    "response_type": "code",
+    "scope": "openid profile email acr"
   },
   "options": {
     "contextHelpersReadMore": true

packages/web-app-admin-settings/src/index.ts

@@ -10,6 +10,7 @@ import {
   AppNavigationItem,
   defineWebApplication,
   useAbility,
+  useAuthService,
   useUserStore
 } from '@ownclouders/web-pkg'
 import { RouteRecordRaw } from 'vue-router'
@@ -22,7 +23,7 @@ function $gettext(msg: string) {
 
 const appId = 'admin-settings'
 
-function getAvailableRoute(ability: Ability) {
+function getNextAvailableRoute(ability: Ability) {
   if (ability.can('read-all', 'Setting')) {
     return { name: 'admin-settings-general' }
   }
@@ -42,6 +43,12 @@ function getAvailableRoute(ability: Ability) {
   throw Error('Insufficient permissions')
 }
 
+async function requireAcr(acrValue: string, redirectUrl: string) {
+  // TODO: check capabilities
+  const authService = useAuthService()
+  await authService.requireAcr(acrValue, redirectUrl)
+}
+
 export const routes = ({ $ability }: { $ability: Ability }): RouteRecordRaw[] => [
   {
     path: '/',
@@ -53,10 +60,13 @@ export const routes = ({ $ability }: { $ability: Ability }): RouteRecordRaw[] =>
     path: '/general',
     name: 'admin-settings-general',
     component: General,
-    beforeEnter: (to, from, next) => {
+    beforeEnter: async (to, from, next) => {
       if (!$ability.can('read-all', 'Setting')) {
-        return next(getAvailableRoute($ability))
+        return next(getNextAvailableRoute($ability))
       }
+
+      await requireAcr('advanced', to.fullPath)
+
       next()
     },
     meta: {
@@ -68,10 +78,13 @@ export const routes = ({ $ability }: { $ability: Ability }): RouteRecordRaw[] =>
     path: '/users',
     name: 'admin-settings-users',
     component: Users,
-    beforeEnter: (to, from, next) => {
+    beforeEnter: async (to, from, next) => {
       if (!$ability.can('read-all', 'Account')) {
-        return next(getAvailableRoute($ability))
+        return next(getNextAvailableRoute($ability))
       }
+
+      await requireAcr('advanced', to.fullPath)
+
       next()
     },
     meta: {
@@ -83,10 +96,13 @@ export const routes = ({ $ability }: { $ability: Ability }): RouteRecordRaw[] =>
     path: '/groups',
     name: 'admin-settings-groups',
     component: Groups,
-    beforeEnter: (to, from, next) => {
+    beforeEnter: async (to, from, next) => {
       if (!$ability.can('read-all', 'Group')) {
-        return next(getAvailableRoute($ability))
+        return next(getNextAvailableRoute($ability))
       }
+
+      await requireAcr('advanced', to.fullPath)
+
       next()
     },
     meta: {
@@ -98,10 +114,13 @@ export const routes = ({ $ability }: { $ability: Ability }): RouteRecordRaw[] =>
     path: '/spaces',
     name: 'admin-settings-spaces',
     component: Spaces,
-    beforeEnter: (to, from, next) => {
+    beforeEnter: async (to, from, next) => {
       if (!$ability.can('read-all', 'Drive')) {
-        return next(getAvailableRoute($ability))
+        return next(getNextAvailableRoute($ability))
       }
+
+      await requireAcr('advanced', to.fullPath)
+
       next()
     },
     meta: {

packages/web-pkg/src/composables/authContext/useAuthService.ts

@@ -6,6 +6,7 @@ export interface AuthServiceInterface {
   signinSilent(): Promise<unknown>
   logoutUser(): Promise<void | NavigationFailure>
   getRefreshToken(): Promise<string>
+  requireAcr(acrValue: string, redirectUrl: string): Promise<void>
 }
 
 export const useAuthService = (): AuthServiceInterface => {

packages/web-runtime/src/services/auth/authService.ts

@@ -384,6 +384,31 @@ export class AuthService implements AuthServiceInterface {
     console.debug('[authService:handleDelegatedTokenUpdate] - going to update the access_token')
     return this.userManager.updateContext(event.data, false)
   }
+
+  /**
+   * Redirects to the login page if the user is not authenticated or if the ACR value is not the one required.
+   *
+   * @param acrValue - The ACR value to require.
+   * @param redirectUrl - The URL to redirect to after login.
+   *
+   * @throws {Error} In cases of wrong authentication.
+   */
+  public async requireAcr(acrValue: string, redirectUrl: string) {
+    const user = await this.userManager.getUser()
+
+    if (!user || user.expired) {
+      this.userManager.setPostLoginRedirectUrl(redirectUrl)
+      return this.userManager.signinRedirect({ acr_values: acrValue })
+    }
+
+    const { acr } = user.profile
+    if (acr === acrValue) {
+      return
+    }
+
+    this.userManager.setPostLoginRedirectUrl(redirectUrl)
+    return this.userManager.signinRedirect({ acr_values: acrValue })
+  }
 }
 
 export const authService = new AuthService()

packages/web-runtime/src/services/auth/userManager.ts

@@ -73,13 +73,17 @@ export class UserManager extends OidcUserManager {
       client_id: '',
 
       // we trigger the token renewal manually via a timer running in a web worker
-      automaticSilentRenew: false
+      automaticSilentRenew: false,
+
+      // Omit acr
+      filterProtocolClaims: ['nbf', 'jti', 'auth_time', 'nonce', 'amr', 'azp', 'at_hash']
     }
 
     if (options.configStore.isOIDC) {
       Object.assign(openIdConfig, {
         scope: 'openid profile',
         loadUserInfo: false,
+        acr_values: 'regular',
         ...options.configStore.openIdConnect,
         ...(options.configStore.openIdConnect.metadata_url && {
           metadataUrl: options.configStore.openIdConnect.metadata_url