Support eid-no acr value (#202)

* Support eid-no acr value. * Add new acr-value to README.md * Support eid-se acr value. * Allow for specifying country agnostic eid acrValue Co-authored-by: Kamil Grela <[email protected]> Co-authored-by: kamilgrelaschibsted <kamil.grela [at] schibsted.com> Co-authored-by: Prasalek, Filip <[email protected]>
schibsted · Feb 23, 2022 · 489b390 · 489b390
1 parent fa07a05
commit 489b390
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -319,13 +319,14 @@ experimental purposes for now. Please let us know before using this in productio
 The default is username & password. If you wish to use one of the passwordless login methods, the
 `login()` function takes an optional parameter called `acrValues` (Authentication Context Class Reference).
 The `acrValues` parameter with multifactor authentication can take following values: 
+ - `eid` - authentication using BankID (for DEV and PRE environments you can choose between country specific solution by specifying `eid-no` or `eid-se` instead)
  - `otp-email` - passwordless authentication using code sent to registered email
  - `otp-sms` - passwordless authentication using code sent to registered phone number
  - `password` - force password authentication (even if user is already logged in)
  - `otp` - authentication using registered one time code generator (https://tools.ietf.org/html/rfc6238)
  - `sms` - authentication using SMS code sent to phone number 
  - `password otp sms` - those authentication methods might be combined
-
+ 
 The classic way to authenticate a user, is to send them from your site to the Schibsted account
 domain, let the user authenticate there, and then have us redirect them back to your site. If you
 prefer, we also provide a popup that you can use. In this method, the authentication happens on a

diff --git a/__tests__/identity.js b/__tests__/identity.js
@@ -225,14 +225,29 @@ describe('Identity', () => {
             }).toThrowError(new SDKError('The acrValues parameter is not acceptable: sms otp password youShallNoTPass'));
         });
 
-        test('should accept variations of sms, otp, password acrValues. Url shouldn\'t contain prompt=select_account', () => {
+        test('should accept variations of sms, otp, password, eid-no, eid-se, eid acrValues. Url shouldn\'t contain prompt=select_account', () => {
             const identity = new Identity(Object.assign({}, defaultOptions, { env: 'PRO' }));
 
             compareUrls(identity.loginUrl({
                 state: 'dummy-state',
                 acrValues: 'sms',
             }), 'https://login.schibsted.com/oauth/authorize?redirect_uri=http%3A%2F%2Ffoo.com&client_id=foo&state=dummy-state&response_type=code&scope=openid&acr_values=sms');
 
+            compareUrls(identity.loginUrl({
+                state: 'dummy-state',
+                acrValues: 'eid-no',
+            }), 'https://login.schibsted.com/oauth/authorize?redirect_uri=http%3A%2F%2Ffoo.com&client_id=foo&state=dummy-state&response_type=code&scope=openid&acr_values=eid-no');
+
+            compareUrls(identity.loginUrl({
+                state: 'dummy-state',
+                acrValues: 'eid-se',
+            }), 'https://login.schibsted.com/oauth/authorize?redirect_uri=http%3A%2F%2Ffoo.com&client_id=foo&state=dummy-state&response_type=code&scope=openid&acr_values=eid-se');
+
+            compareUrls(identity.loginUrl({
+                state: 'dummy-state',
+                acrValues: 'eid',
+            }), 'https://login.schibsted.com/oauth/authorize?redirect_uri=http%3A%2F%2Ffoo.com&client_id=foo&state=dummy-state&response_type=code&scope=openid&acr_values=eid');
+
             compareUrls(identity.loginUrl({
                 state: 'dummy-state',
                 acrValues: 'sms otp',

diff --git a/package-lock.json b/package-lock.json
diff --git a/src/identity.d.ts b/src/identity.d.ts
@@ -314,11 +314,11 @@ export type LoginOptions = {
     /**
      * - Authentication Context Class Reference Values. If
      * omitted, the user will be asked to authenticate using username+password.
-     * For 2FA (Two-Factor Authentication) possible values are `sms`, `otp` (one time password) and
-     * `password` (will force password confirmation, even if user is already logged in). Those values might
+     * For 2FA (Two-Factor Authentication) possible values are `sms`, `otp` (one time password),
+     * `password` (will force password confirmation, even if user is already logged in), `eid`. Those values might
      * be mixed as space-separated string. To make sure that user has authenticated with 2FA you need
      * to verify AMR (Authentication Methods References) claim in ID token.
-     * Might also be used to ensure additional acr (sms, otp) for already logged in users.
+     * Might also be used to ensure additional acr (sms, otp, eid) for already logged in users.
      * Supported values are also 'otp-email' means one time password using email, and 'otp-sms' means
      * one time password using sms.
      */

diff --git a/src/identity.js b/src/identity.js
@@ -22,8 +22,8 @@ const { version } = require('../package.json');
  * the request and callback. It's also recommended to prevent CSRF {@link https://tools.ietf.org/html/rfc6749#section-10.12}
  * @property {string} [acrValues] - Authentication Context Class Reference Values. If
  * omitted, the user will be asked to authenticate using username+password.
- * For 2FA (Two-Factor Authentication) possible values are `sms`, `otp` (one time password) and
- * `password` (will force password confirmation, even if user is already logged in). Those values might
+ * For 2FA (Two-Factor Authentication) possible values are `sms`, `otp` (one time password),
+ * `password` (will force password confirmation, even if user is already logged in), `eid`. Those values might
  * be mixed as space-separated string. To make sure that user has authenticated with 2FA you need
  * to verify AMR (Authentication Methods References) claim in ID token.
  * Might also be used to ensure additional acr (sms, otp) for already logged in users.
@@ -783,7 +783,7 @@ export class Identity extends EventEmitter {
             teaser = arguments[6] || teaser;
             maxAge = isNaN(arguments[7]) ? maxAge : arguments[7];
         }
-        const isValidAcrValue = (acrValue) => isStrIn(acrValue, ['password', 'otp', 'sms'], true);
+        const isValidAcrValue = (acrValue) => isStrIn(acrValue, ['password', 'otp', 'sms', 'eid-no', 'eid-se', 'eid'], true);
         assert(!acrValues || isStrIn(acrValues, ['', 'otp-email', 'otp-sms'], true) || acrValues.split(' ').every(isValidAcrValue),
             `The acrValues parameter is not acceptable: ${acrValues}`);
         assert(isUrl(redirectUri),