sui-id-shared 0.24.0

Shared types and DTOs for sui-id, a self-hosted Rust OIDC provider.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184

//! Which authentication factors a session was established with.
//!
//! Recorded once at session creation and read back when issuing an
//! ID token, so that the `acr` and `amr` claims (OpenID Connect Core
//! §2; AMR values are RFC 8176) accurately describe how the user
//! proved who they are.
//!
//! The list of methods on a session is the historical record of
//! *that* sign-in. It is not refreshed on subsequent token-endpoint
//! calls — a session that started as password-only does not become
//! MFA later just because the user enrols TOTP afterwards.

use serde::{Deserialize, Serialize};

/// Authentication method that contributed to a session's
/// authentication. The variants map 1:1 to RFC 8176 AMR values.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum AuthMethod {
    /// Username + password. Always present in a sui-id session.
    Pwd,
    /// TOTP authenticator app code.
    Totp,
    /// One of the user's pre-issued recovery codes.
    RecoveryCode,
    /// WebAuthn assertion (passkey / hardware key).
    Webauthn,
}

impl AuthMethod {
    /// The RFC 8176 AMR token for this method. These strings appear
    /// verbatim in the `amr` array of issued ID tokens; relying
    /// parties match on them.
    pub fn as_amr(self) -> &'static str {
        match self {
            // RFC 8176 §2 — values are case-sensitive lowercase.
            Self::Pwd => "pwd",
            // TOTP and recovery codes are both one-time passwords from
            // the perspective of relying parties; RFC 8176 has a
            // single `otp` token for both.
            Self::Totp | Self::RecoveryCode => "otp",
            // RFC 8176 §2 — `hwk` is "proof of possession of a
            // hardware-secured key". This is what a passkey or
            // security key stored in a TPM/Secure Enclave is.
            Self::Webauthn => "hwk",
        }
    }

    /// Whether this method counts as a *second factor* — i.e. it is
    /// neither password nor a knowledge-only credential. Used to
    /// derive the ACR level.
    pub fn is_second_factor(self) -> bool {
        match self {
            Self::Pwd => false,
            Self::Totp | Self::RecoveryCode | Self::Webauthn => true,
        }
    }

    /// Whether this method is *phishing-resistant* in the sense that
    /// the credential cannot be replayed by an attacker who has
    /// captured the user's keystrokes. WebAuthn is; TOTP is not (the
    /// 6-digit code is interceptable inside its 30-second window).
    pub fn is_phishing_resistant(self) -> bool {
        matches!(self, Self::Webauthn)
    }
}

/// OIDC Authentication Context Class Reference value derived from
/// the methods used in a session.
///
/// We follow the ISO/IEC 29115 four-level Level-of-Assurance scheme
/// (also referenced from OpenID Connect Core §2 as the reference
/// example for `acr`), encoded as the bare numeric strings `"1"`,
/// `"2"`, `"3"` that Keycloak and most other off-the-shelf IdPs
/// produce. Numeric strings are the most widely understood form
/// across RP libraries; the longer URI variants used by NIST AAL
/// or eIDAS LoA fit those specific contexts and are needlessly
/// verbose for a general-purpose IdP.
///
/// Mapping:
///
/// - `"1"` — single factor. Password only. Equivalent to ISO 29115
///   LoA 1 / NIST AAL 1.
/// - `"2"` — multi-factor with a software second factor (TOTP,
///   recovery code). Equivalent to ISO 29115 LoA 2.
/// - `"3"` — multi-factor with a phishing-resistant hardware
///   second factor (WebAuthn). Equivalent to ISO 29115 LoA 3.
///
/// LoA 4 (in-person identity proofing) is not something an IdP can
/// assert from authentication alone, so sui-id never produces it.
pub fn acr_from_methods(methods: &[AuthMethod]) -> &'static str {
    if methods.iter().any(|m| m.is_phishing_resistant()) {
        "3"
    } else if methods.iter().any(|m| m.is_second_factor()) {
        "2"
    } else {
        "1"
    }
}

/// Build the `amr` claim array. Includes `"mfa"` (RFC 8176) as the
/// umbrella signal when **two or more distinct factor types** were
/// used — i.e. when the sign-in was genuinely multi-factor. A
/// single-factor sign-in, even one with a hardware key, does not
/// claim `mfa`.
///
/// Deduplicates while preserving order so that `["pwd", "otp", "mfa"]`
/// is the canonical shape.
pub fn amr_from_methods(methods: &[AuthMethod]) -> Vec<String> {
    let mut out: Vec<String> = Vec::with_capacity(methods.len() + 1);
    for m in methods {
        let v = m.as_amr().to_string();
        if !out.contains(&v) {
            out.push(v);
        }
    }
    // RFC 8176 `mfa`: claim only if two or more *distinct* factor
    // tokens are present. WebAuthn alone, or password alone, does
    // not earn `mfa` even though WebAuthn is phishing-resistant.
    if out.len() >= 2 && !out.contains(&"mfa".to_string()) {
        out.push("mfa".to_string());
    }
    out
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn password_only_is_loa_1() {
        assert_eq!(acr_from_methods(&[AuthMethod::Pwd]), "1");
        assert_eq!(amr_from_methods(&[AuthMethod::Pwd]), vec!["pwd"]);
    }

    #[test]
    fn password_plus_totp_is_loa_2_with_mfa() {
        let m = [AuthMethod::Pwd, AuthMethod::Totp];
        assert_eq!(acr_from_methods(&m), "2");
        assert_eq!(amr_from_methods(&m), vec!["pwd", "otp", "mfa"]);
    }

    #[test]
    fn password_plus_recovery_is_loa_2_with_otp_amr() {
        // Recovery codes share the `otp` AMR with TOTP — both are
        // one-time codes from the RP's perspective.
        let m = [AuthMethod::Pwd, AuthMethod::RecoveryCode];
        assert_eq!(acr_from_methods(&m), "2");
        assert_eq!(amr_from_methods(&m), vec!["pwd", "otp", "mfa"]);
    }

    #[test]
    fn password_plus_webauthn_is_loa_3() {
        let m = [AuthMethod::Pwd, AuthMethod::Webauthn];
        assert_eq!(acr_from_methods(&m), "3");
        assert_eq!(amr_from_methods(&m), vec!["pwd", "hwk", "mfa"]);
    }

    #[test]
    fn duplicates_are_deduped_and_mfa_isnt_added_twice() {
        let m = [AuthMethod::Pwd, AuthMethod::Pwd, AuthMethod::Totp, AuthMethod::Totp];
        assert_eq!(amr_from_methods(&m), vec!["pwd", "otp", "mfa"]);
    }

    #[test]
    fn empty_methods_falls_back_to_loa_1() {
        // An empty slice is a corruption case in practice — any
        // sui-id session has at least Pwd. Be conservative: the
        // lowest LoA, no `mfa`, no second factor.
        assert_eq!(acr_from_methods(&[]), "1");
        assert!(amr_from_methods(&[]).is_empty());
    }

    #[test]
    fn webauthn_alone_is_phishing_resistant_so_loa_3_but_not_mfa() {
        // Hypothetical future: passwordless WebAuthn-only sign-in.
        // The hardware-bound key assertion clears LoA 3 by itself,
        // but it is *not* multi-factor — just one phishing-
        // resistant factor.
        let m = [AuthMethod::Webauthn];
        assert_eq!(acr_from_methods(&m), "3");
        assert_eq!(amr_from_methods(&m), vec!["hwk"]);
    }
}