AuthnClassRef in authsources can be array of strings

thijskh · thijskh · commit efd2e5b747a6 · 2023-02-26T15:12:53.000Z
Deal with this in multiauth and document that this is the case
diff --git a/modules/multiauth/src/Auth/Source/MultiAuth.php b/modules/multiauth/src/Auth/Source/MultiAuth.php
@@ -99,6 +99,7 @@ public function authenticate(array &$state): void
     {
         $state[self::AUTHID] = $this->authId;
         $state[self::SOURCESID] = $this->sources;
+        $arrayUtils = new Utils\Arrays();
 
         if (!array_key_exists('multiauth:preselect', $state) && isset($this->preselect)) {
             $state['multiauth:preselect'] = $this->preselect;
@@ -111,7 +112,8 @@ public function authenticate(array &$state): void
             $refs = array_values($state['saml:RequestedAuthnContext']['AuthnContextClassRef']);
             $new_sources = [];
             foreach ($this->sources as $source) {
-                if (count(array_intersect($source['AuthnContextClassRef'], $refs)) >= 1) {
+                $config_refs = $arrayUtils->arrayize($source['AuthnContextClassRef']);
+                if (count(array_intersect($config_refs, $refs)) >= 1) {
                     $new_sources[] = $source;
                 }
             }
diff --git a/modules/saml/docs/sp.md b/modules/saml/docs/sp.md
@@ -135,8 +135,9 @@ The following attributes are available:
 : The attributes should still be present in `attributes`.
 
 `AuthnContextClassRef`
-:   The SP can request authentication with a specific authentication context class.
+:   The SP can request authentication with one or more specific authentication context classses.
     One example of usage could be if the IdP supports both username/password authentication as well as software-PKI.
+    Set this to a string for one class identifier or an array of requested class identifiers.
 
 `AuthnContextComparison`
 :   The Comparison attribute of the AuthnContext that will be sent in the login request.

Original file line number	Diff line number	Diff line change
`@@ -99,6 +99,7 @@ public function authenticate(array &$state): void`
`99`	`99`	`{`
`100`	`100`	`$state[self::AUTHID] = $this->authId;`
`101`	`101`	`$state[self::SOURCESID] = $this->sources;`
	`102`	`+ $arrayUtils = new Utils\Arrays();`
`102`	`103`
`103`	`104`	`if (!array_key_exists('multiauth:preselect', $state) && isset($this->preselect)) {`
`104`	`105`	`$state['multiauth:preselect'] = $this->preselect;`
`@@ -111,7 +112,8 @@ public function authenticate(array &$state): void`
`111`	`112`	`$refs = array_values($state['saml:RequestedAuthnContext']['AuthnContextClassRef']);`
`112`	`113`	`$new_sources = [];`
`113`	`114`	`foreach ($this->sources as $source) {`
`114`		`- if (count(array_intersect($source['AuthnContextClassRef'], $refs)) >= 1) {`
	`115`	`+ $config_refs = $arrayUtils->arrayize($source['AuthnContextClassRef']);`
	`116`	`+ if (count(array_intersect($config_refs, $refs)) >= 1) {`
`115`	`117`	`$new_sources[] = $source;`
`116`	`118`	`}`
`117`	`119`	`}`