diff --git a/TIQR.md b/TIQR.md new file mode 100644 index 00000000..881d41e3 --- /dev/null +++ b/TIQR.md @@ -0,0 +1,24 @@ +```mermaid +sequenceDiagram + actor User + participant Tiqr App + participant eduID + User->>Tiqr App: Start registration + Tiqr App->>eduID: Start enrollment + eduID->>Tiqr App: Enrollment data + Note right of Tiqr App: EnrollmentKey, metaData URL and qrcode + Tiqr App->>eduID: MetaData enrollmentKey + eduID->>Tiqr App: MetaData + Note right of Tiqr App: Service and Identity (=registrationID) + Tiqr App->>eduID: Start authentication + eduID->>Tiqr App: Session key and url + Note right of Tiqr App: Authentication URL with u=registrationID + Tiqr App->>eduID: Finish authentication + Note right of Tiqr App: AuthenticationData with userId=registrationID + eduID->>eduID: Fetch User with AuthenticationData-userId + Note left of eduID: UserNotFoundException + eduID->>eduID: Fetch Registration with AuthenticationData-userId + eduID->>eduID: Fetch User with Registration-userId + eduID->>Tiqr App: OK + Tiqr App->>User: 🙏🏻 +``` diff --git a/account-gui/pom.xml b/account-gui/pom.xml index 9a57d7f7..811c4e9b 100644 --- a/account-gui/pom.xml +++ b/account-gui/pom.xml @@ -4,7 +4,7 @@ org.openconext myconext - 7.4.5 + 7.4.6 ../pom.xml account-gui diff --git a/myconext-gui/pom.xml b/myconext-gui/pom.xml index 38a7789d..24dce96e 100644 --- a/myconext-gui/pom.xml +++ b/myconext-gui/pom.xml @@ -4,7 +4,7 @@ org.openconext myconext - 7.4.5 + 7.4.6 ../pom.xml myconext-gui diff --git a/myconext-server/pom.xml b/myconext-server/pom.xml index f48d1595..fa920ee7 100644 --- a/myconext-server/pom.xml +++ b/myconext-server/pom.xml @@ -4,7 +4,7 @@ org.openconext myconext - 7.4.5 + 7.4.6 ../pom.xml myconext-server diff --git a/myconext-server/src/main/java/myconext/tiqr/TiqrController.java b/myconext-server/src/main/java/myconext/tiqr/TiqrController.java index 4818a35b..7d455612 100644 --- a/myconext-server/src/main/java/myconext/tiqr/TiqrController.java +++ b/myconext-server/src/main/java/myconext/tiqr/TiqrController.java @@ -43,6 +43,7 @@ import java.time.Instant; import java.util.*; import java.util.concurrent.atomic.AtomicBoolean; +import java.util.function.Function; import static myconext.crypto.HashGenerator.hash; import static myconext.log.MDCContext.logWithContext; @@ -528,22 +529,34 @@ public ResponseEntity doEnrollment(@ModelAttribute Registration registra @PostMapping(value = "/authentication", consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE) @Hidden public ResponseEntity doAuthentication(@ModelAttribute AuthenticationData authenticationData) { - String userId = authenticationData.getUserId(); - User user = userRepository.findById(userId).orElseThrow(() -> new UserNotFoundException(userId)); + String metaDataIdentity = authenticationData.getUserId(); + /* + * This used to be the userID, but in https://github.com/OpenConext/OpenConext-myconext/issues/552 this has + * changed to the registrationID. We need to try them both to be backwards compatible + */ + Optional optionalRegistration = registrationRepository.findById(metaDataIdentity); + Optional optionalUser = optionalRegistration + .map(registration -> userRepository.findById(registration.getUserId())) + .flatMap(Function.identity()); + User user = optionalUser + .orElseGet(() -> userRepository.findById(metaDataIdentity) + .orElseThrow(() -> new UserNotFoundException("User not found with authenticationData#userId:" + metaDataIdentity))); + if (!rateLimitEnforcer.isUserAllowedTiqrVerification(user)) { return ResponseEntity.ok("ERROR"); } try { tiqrService.postAuthentication(authenticationData); - LOG.debug("Successful authentication for user " + userId); + LOG.debug(String.format("Successful authentication for user %s, %s" ,user.getEmail(), user.getId())); rateLimitEnforcer.unsuspendUserAfterTiqrSuccess(user); return ResponseEntity.ok("OK"); } catch (TiqrException | RuntimeException e) { //Do not show stacktrace - LOG.error(String.format("Exception during authentication for user %s, message %s", - userId, + LOG.error(String.format("Exception during authentication for user %s, %s message %s", + user.getEmail(), + user.getId(), e.getMessage())); rateLimitEnforcer.suspendUserAfterTiqrFailure(user); try { diff --git a/myconext-server/src/test/java/myconext/tiqr/TiqrControllerTest.java b/myconext-server/src/test/java/myconext/tiqr/TiqrControllerTest.java index 896defb9..fc9190cb 100644 --- a/myconext-server/src/test/java/myconext/tiqr/TiqrControllerTest.java +++ b/myconext-server/src/test/java/myconext/tiqr/TiqrControllerTest.java @@ -309,7 +309,16 @@ public void fetchRegistration() throws IOException { } @Test - public void startAuthentication() throws Exception { + public void startAuthenticationWithRegistrationID() throws Exception { + doStartAuthentication(true); + } + + @Test + public void startAuthenticationBackwardCompatibleWithUserID() throws Exception { + doStartAuthentication(false); + } + + private void doStartAuthentication(boolean useRegistrationId) throws Exception { SamlAuthenticationRequest samlAuthenticationRequest = doEnrollmment(true); Map results = given() @@ -338,10 +347,11 @@ public void startAuthentication() throws Exception { String decryptedSecret = this.decryptRegistrationSecret(registration.getSecret()); String ocra = OCRA.generateOCRA(decryptedSecret, authentication.getChallenge(), sessionKey); + String userId = useRegistrationId ? registration.getId() : samlAuthenticationRequest.getUserId(); given() .contentType(ContentType.URLENC) .formParam("sessionKey", sessionKey) - .formParam("userId", samlAuthenticationRequest.getUserId()) + .formParam("userId", userId) .formParam("response", ocra) .formParam("language", "en") .formParam("operation", "login") diff --git a/pom.xml b/pom.xml index 33a87804..89f961f4 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ 4.0.0 org.openconext myconext - 7.4.5 + 7.4.6 pom myconext My OpenConext diff --git a/public-gui/pom.xml b/public-gui/pom.xml index 38a32ece..ab024146 100644 --- a/public-gui/pom.xml +++ b/public-gui/pom.xml @@ -4,7 +4,7 @@ org.openconext myconext - 7.4.5 + 7.4.6 ../pom.xml public-gui diff --git a/tiqr-mock/pom.xml b/tiqr-mock/pom.xml index 026acc17..ddcba3c3 100644 --- a/tiqr-mock/pom.xml +++ b/tiqr-mock/pom.xml @@ -4,7 +4,7 @@ org.openconext myconext - 7.4.5 + 7.4.6 ../pom.xml tiqr-mock