Development #6925
Map authentication method to authentication levels and use those levels to limit access to services
0%
Description
To ease constraint on authentication levels by service providers, authentication methods should be mapped to an authentication level integer. Mapping must be customized, by default all authentication methods are level 0.
The setting would be named A2_AUTHENTICATION_METHOD_LEVELS, it would look like that:
A2_AUTHENTICATION_METHOD_LEVELS = { 'ssl': 2, 'oath': 1, 'password-on-https': 0, 'password': -1, }
Authentic provide a default list of authentication methods that you can get through authentic2.authentication_methods.get_authentication_methods(), and which is actually password
, password-on-https
, email
.
For each service we could choose an authentication level, default being 0. Any level greater or equal to the chosen level will give access to the service.
When requesting the login page a service should be able to provide a minimum level, any frontend providing authentication method inferior to the given level will not appear. For example a redirect to /login/?level=2
with the previous setting and no acceptable X509 certificate presented would inform the user that no authentication method is available for him, and would invite him to continue by canceling the SSO request.