select authentication scheme according to authentication level
Summary
It would be nice to have a feature allowing the portal to choose the authentication scheme according to an authentication level. This feature is to be considered as an evolution of:
https://lemonldap-ng.org/documentation/latest/writingrulesand_headers
Instead of returning a 403 code, “minimum level” returns user to a form that explain that a higher level is required and propose the user to reauthenticate himself.
in other words, make the application "decide" the authentication scheme of the portal.
Design proposition
[manager]
add a new parameter: desiredAuthenticationLevel for each vhost
[handler]
handler checks if desiredAuthenticationLevel is set if desiredAuthenticationLevel > 0, handler redirects the user to ?url=base64(url)&desiredAuthenticationLevel=n
[portal]
if portal is configured for "combination" module (and maybe also for choice module), then he tries to honor the desiredAuthenticationLevel only in case of scheme testing (ie combination using OR).
example1:
- desiredAuthenticationLevel = 5
- SSL = 5
- Kerberos = 4
- LDAP = 2
if after evaluating the if conditions in the combination rule, we get:
[Kerberos, LDAP] or [SSL, LDAP] or [LDAP, LDAP]
the OR components should be rearranged to make SSL appear first:
[SSL, LDAP] or [Kerberos, LDAP] or [LDAP, LDAP]
example2:
- desiredAuthenticationLevel = 2
- SSL = 5
- Kerberos = 4
- LDAP = 2
if after evaluating the if conditions in the combination rule, we get:
[SSL, LDAP] or [Kerberos, LDAP] or [LDAP, LDAP]
the OR components should be rearranged into:
[LDAP, LDAP] or [SSL, LDAP] or [Kerberos, LDAP]
if the authentication is set to "Choice", then we could also rely on the desiredAuthenticationLevel to display by default the tab corresponding to the desired authentication scheme.
Security considerations
It might be dangerous to let desiredAuthenticationLevel be passed as an unencrypted GET parameter. It might be used by an attacker to prevent a user to access an application.
What do you think about this proposition? Is there already some attempts to do something similar? Do you think about a better architecture / conception for this feature? It's opened to discussion.