Merge pull request #1110 from OpenConext/fix/794-reject-app-after-linked-institution

oharsta · web-flow · commit 85d4d041b882 · 2026-01-13T13:32:41.000+01:00
#794 Moves the MFA check after the ACR check
diff --git a/myconext-server/src/main/java/myconext/security/GuestIdpAuthenticationRequestFilter.java b/myconext-server/src/main/java/myconext/security/GuestIdpAuthenticationRequestFilter.java
@@ -730,17 +730,18 @@ private void sendAssertion(HttpServletRequest request,
             } else {
                 authnContextClassRefValue = ACR.selectACR(authenticationContextClassReferences, hasStudentAffiliation);
             }
-        } else if (samlAuthenticationRequest.isMfaProfileRequired()) {
+        } else if (!applySsoMfa && !CollectionUtils.isEmpty(authenticationContextClassReferences)) {
+            optionalMessage = String.format("The specified authentication context requirements '%s' cannot be met by the responder.",
+                    String.join(", ", authenticationContextClassReferences));
+            samlStatus = SAMLStatus.NO_AUTHN_CONTEXT;
+        }
+        if (samlAuthenticationRequest.isMfaProfileRequired()) {
             if (samlAuthenticationRequest.isTiqrFlow() || applySsoMfa) {
                 authnContextClassRefValue = ACR.selectACR(authenticationContextClassReferences, false);
             } else {
                 optionalMessage = "The requesting service has indicated that a login with the eduID app is required to login.";
                 samlStatus = SAMLStatus.NO_AUTHN_CONTEXT;
             }
-        } else if (!applySsoMfa && !CollectionUtils.isEmpty(authenticationContextClassReferences)) {
-            optionalMessage = String.format("The specified authentication context requirements '%s' cannot be met by the responder.",
-                    String.join(", ", authenticationContextClassReferences));
-            samlStatus = SAMLStatus.NO_AUTHN_CONTEXT;
         }
         if (!samlStatus.equals(SAMLStatus.SUCCESS)) {
             authnContextClassRefValue = DefaultSAMLService.authnContextClassRefUnspecified;
diff --git a/myconext-server/src/test/java/myconext/api/UserControllerTest.java b/myconext-server/src/test/java/myconext/api/UserControllerTest.java
@@ -16,6 +16,7 @@
 import org.apache.commons.io.IOUtils;
 import org.apache.http.client.CookieStore;
 import org.junit.Test;
+import org.opensaml.saml.saml2.core.StatusCode;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpMethod;
@@ -197,6 +198,45 @@ public void accountLinkingAndMfa() throws IOException {
         assertTrue(samlResponse.contains(ACR.LINKED_INSTITUTION_MFA));
     }
 
+    @Test
+    public void accountLinkingAndMfa_RejectMfa() throws IOException {
+        String authnContext = readFile("request_authn_context_linked_institution_mfa.xml");
+        Response response = samlAuthnRequestResponseWithLoa(null, "relay", authnContext);
+        String authenticationRequestId = extractAuthenticationRequestIdFromAuthnResponse(response);
+
+        String location = response.getHeader("Location");
+        assertTrue(location.contains("/login"));
+        assertTrue(location.contains("stepup=true"));
+        assertTrue(location.contains("mfa=true"));
+
+        // Linking institution
+        User user = userRepository.findOneUserByEmail("mdoe@example.com");
+        LinkedAccount linkedAccount = linkedAccount("John", "Doe", new Date());
+        user.getLinkedAccounts().add(linkedAccount);
+        userRepository.save(user);
+
+        ClientAuthenticationRequest clientAuthenticationRequest = new ClientAuthenticationRequest(authenticationRequestId, user, false, "repsonse");
+        ClientAuthenticationResponse authenticationResponse = oneTimeLoginCodeRequest(clientAuthenticationRequest, HttpMethod.PUT);
+
+        SamlAuthenticationRequest samlAuthenticationRequest = authenticationRequestRepository
+                .findById(authenticationResponse.authenticationRequestId).get();
+
+        Response magicResponse = given().redirects().follow(false)
+                .when()
+                .queryParam("h", samlAuthenticationRequest.getHash())
+                .cookie(BROWSER_SESSION_COOKIE_NAME, "true")
+                .get("/saml/guest-idp/magic");
+        while (magicResponse.statusCode() == 302) {
+            String redirectLocation = magicResponse.getHeader("Location");
+            assertNotNull(redirectLocation);
+            magicResponse = this.get302Response(magicResponse, Optional.empty(), "?force=true");
+        }
+        String samlResponse = samlAuthnResponse(magicResponse, Optional.empty());
+
+        assertTrue(samlResponse.contains(StatusCode.NO_AUTHN_CONTEXT));
+        assertTrue(samlResponse.contains("The requesting service has indicated that a login with the eduID app is required to login."));
+    }
+
     @Test
     public void accountLinkingAndMfa_Flow() throws IOException {
         // Login
