Merge pull request #653 from SUNET/lundberg_idp_optional_mfa

Use user setting to determine if the IdP should force use of mfa when available
SUNET · Aug 12, 2024 · 702bd50 · 702bd50
2 parents dd39a5c + 5667250
commit 702bd50
Show file tree

Hide file tree

Showing 6 changed files with 734 additions and 341 deletions.
diff --git a/src/eduid/webapp/idp/mfa_action.py b/src/eduid/webapp/idp/mfa_action.py
@@ -19,6 +19,10 @@ def need_security_key(user: IdPUser, ticket: LoginContext) -> bool:
         logger.debug("User has no FIDO credentials, no extra requirement for MFA this session imposed")
         return False
 
+    if user.preferences.always_use_security_key is False:
+        logger.debug("User has not forced MFA, no extra requirement for MFA this session imposed")
+        return False
+
     for cred_key in ticket.pending_request.credentials_used:
         credential: Optional[Credential]
         if cred_key in ticket.pending_request.onetime_credentials: