2FA and authentication level

[vever001]

Hello,

If we enable the option "Force two factor authentication" from the module settings (/admin/config/system/oe_authentication), we are still able to select the password authentication method from ECAS.
When we do so, we get a vague error in Drupal, which is very confusing for end users:

There was a problem validating your login, please contact a site administrator.

And the Drupal logs contain:

Error when validating ticket: Error Code INVALID_STRENGTH: ticket 'ST--' does not match requested strengths: [PASSWORD_MOBILE_APP, PASSWORD_SOFTWARE_TOKEN, PASSWORD_SMS]

Ideally EULogin should only list applicable login options.
I believe https://citnet.tech.ec.europa.eu/CITnet/confluence/display/IAM/Multi-factor+authentication is related and explains 3 types of authentication methods (basic/medium/high).
Shouldn't the module expose these 3 options (as select?) in settings instead of the "Force two factor authentication" checkbox?

Thank you

[vever001]

I just realized that we need to clear all drupal caches and after that we only see the 2FA options as expected.

So I was wrong but this seems to suggest there might be some cache invalidation/metadata missing when oe_authentication alters the CAS redirect.
e.g:

• \Drupal\oe_authentication\Event\EuLoginEventSubscriber::forceTwoFactorAuthentication using oe_authentication.settings (needs cache metadata to be added)
• \Drupal\oe_authentication\Event\EuLoginEventSubscriber::processUserProperties using user.settings

This is less of a problem but might be worth looking into.

[brummbar]

It's not in our plans to fix this as we are not directly impacted. Feel free to contribute the fix.