Skip to content

DPC-5454 - Switching login.gov from IAL1 to IAL2 #3019

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Jose-verdance wants to merge 5 commits into
base: main
Choose a base branch
from
+29 −70
Open

DPC-5454 - Switching login.gov from IAL1 to IAL2 #3019

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
a475510
dpc-5454 - adding initail updates to omniauth and login_dot_gov_contr…
Jose-verdance May 27, 2026
5377086
dpc-5454 - updating addition spec for ial2 login
Jose-verdance May 27, 2026
b548abd
Merge branch 'main' into ja/dpc-5454-login-dot-gov-ial2
Jose-verdance May 28, 2026
68e49a6
dpc-5454 - updating controller logic to just check if portal account …
Jose-verdance Jun 1, 2026
ffa1719
dpc-5454 - addressing linter issues
Jose-verdance Jun 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions dpc-portal/app/controllers/login_dot_gov_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,8 +130,8 @@ def ial_2_actions(user, auth)
session[:login_dot_gov_token_exp] = auth.credentials.expires_in.seconds.from_now
end

def path(user, auth)
if user.blank? && auth.extra.raw_info.ial == 'http://idmanagement.gov/ns/assurance/ial/1'
Copy link
Copy Markdown
Contributor

@ashley-weaver ashley-weaver Jun 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this line should be changed, it's ensuring that the IAL level is not 1

Copy link
Copy Markdown
Contributor Author

@Jose-verdance Jose-verdance Jun 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated it based on our conversation.

def path(user, _auth)
if user.blank?
Rails.logger.info(['User logged in without account',
{ actionContext: LoggingConstants::ActionContext::Authentication,
actionType: LoggingConstants::ActionType::UserLoginWithoutAccount }])
Expand Down
2 changes: 1 addition & 1 deletion dpc-portal/config/initializers/omniauth.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
discovery: true,
scope: %i[openid email all_emails],
response_type: :code,
acr_values: 'http://idmanagement.gov/ns/assurance/ial/1',
acr_values: 'http://idmanagement.gov/ns/assurance/ial/2',
client_auth_method: :jwt_bearer,
client_options: {
port: 443,
Expand Down
66 changes: 5 additions & 61 deletions dpc-portal/spec/requests/login_dot_gov_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,67 +94,10 @@
end

context :user_does_not_exist do
it 'does not sign in user' do
post '/auth/login_dot_gov'
follow_redirect!
expect(response.location).to eq organizations_url
expect(response).to be_redirect
follow_redirect!
expect(response).to be_redirect
end

it 'sets authentication token' do
post '/auth/login_dot_gov'
follow_redirect!
expect(request.session[:login_dot_gov_token]).to eq token
expect(request.session[:login_dot_gov_token_exp]).to_not be_nil
expect(request.session[:login_dot_gov_token_exp]).to be_within(1.second).of 899.seconds.from_now
end
end
end

context 'IAL/1' do
before do
OmniAuth.config.test_mode = true
OmniAuth.config.add_mock(:login_dot_gov,
{ uid: uuid,
info: { email: 'bob3@example.com' },
extra: { raw_info: { all_emails: %w[bob3@example.com bobby@example.com],
ial: 'http://idmanagement.gov/ns/assurance/ial/1' } } })
end

it_behaves_like 'an openid client'

context :user_exists do
before do
user = create(:user, email: 'bob3@example.com', given_name: 'Bob',
family_name: 'Hoskins')
create(:csp_user, user:, uuid:, csp:)
end
it 'does not update user names' do
expect(User.where(email: 'bob3@example.com', given_name: 'Bob',
family_name: 'Hoskins').count).to eq 1
post '/auth/login_dot_gov'
follow_redirect!
expect(response.location).to eq organizations_url
expect(User.where(email: 'bob3@example.com', given_name: 'Bob',
family_name: 'Hoskins').count).to eq 1
end

it 'does not set authentication token' do
post '/auth/login_dot_gov'
follow_redirect!
expect(request.session[:login_dot_gov_token]).to be_nil
expect(request.session[:login_dot_gov_token_exp]).to be_nil
end
end

context 'user does not exist' do
it 'does not sign in user' do
post '/auth/login_dot_gov'
follow_redirect!
expect(response.location).to eq no_account_url
expect(response).to be_redirect
end

it 'should log' do
Expand All @@ -168,11 +111,12 @@
follow_redirect!
end

it 'does not set authentication token' do
it 'sets authentication token' do
Copy link
Copy Markdown
Contributor

@MEspositoE14s MEspositoE14s May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unrelated to these changes, but when someone logs in through Login.gov and they don't have a user account, do we need to bother saving their token?

Copy link
Copy Markdown
Contributor Author

@Jose-verdance Jose-verdance Jun 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thats a good question! At first I thought it might be needed for logout but looking at the documentation, it looks like its not needed. This might be worth discussing with the team. https://developers.login.gov/oidc/logout/

post '/auth/login_dot_gov'
follow_redirect!
expect(request.session[:login_dot_gov_token]).to be_nil
expect(request.session[:login_dot_gov_token_exp]).to be_nil
expect(request.session[:login_dot_gov_token]).to eq token
expect(request.session[:login_dot_gov_token_exp]).to_not be_nil
expect(request.session[:login_dot_gov_token_exp]).to be_within(1.second).of 899.seconds.from_now
end
end
end
Expand Down Expand Up @@ -316,7 +260,7 @@
{ uid: uuid,
info: { email: 'bob4@example.com' },
extra: { raw_info: { all_emails: %w[bob4@example.com bobby@example.com],
ial: 'http://idmanagement.gov/ns/assurance/ial/1' } } })
ial: 'http://idmanagement.gov/ns/assurance/ial/2' } } })
end

it 'should log error' do
Expand Down
9 changes: 7 additions & 2 deletions dpc-portal/spec/support/login_support.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,14 @@ def sign_in(user)
OmniAuth.config.test_mode = true
OmniAuth.config.add_mock(csp.name,
{ uid: csp_user.uuid,
credentials: { expires_in: 899,
token: 'bearer-token' },
info: { email: user.email },
extra: { raw_info: { all_emails: [user.email],
ial: 'http://idmanagement.gov/ns/assurance/ial/1' } } })
extra: { raw_info: { given_name: 'Bob',
family_name: 'Hoskins',
social_security_number: '1-2-3',
all_emails: [user.email],
ial: 'http://idmanagement.gov/ns/assurance/ial/2' } } })
post '/auth/login_dot_gov'
follow_redirect!
end
Expand Down
9 changes: 7 additions & 2 deletions dpc-portal/spec/system/accessibility_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,14 @@
OmniAuth.config.test_mode = true
OmniAuth.config.add_mock(:login_dot_gov,
{ uid:,
credentials: { expires_in: 899,
token: 'bearer-token' },
info: { email: 'bob@example.com' },
extra: { raw_info: { all_emails: %w[bob@example.com bob2@example.com],
ial: 'http://idmanagement.gov/ns/assurance/ial/1' } } })
extra: { raw_info: { given_name: 'Bob',
family_name: 'Hoskins',
social_security_number: '1-2-3',
all_emails: %w[bob@example.com bob2@example.com],
ial: 'http://idmanagement.gov/ns/assurance/ial/2' } } })
end
def sign_in
visit '/auth/login_dot_gov/callback'
Expand Down
9 changes: 7 additions & 2 deletions dpc-portal/spec/system/new_invitation_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,14 @@
OmniAuth.config.test_mode = true
OmniAuth.config.add_mock(:login_dot_gov,
{ uid:,
credentials: { expires_in: 899,
token: 'bearer-token' },
info: { email: 'bob@example.com' },
extra: { raw_info: { all_emails: %w[bob@example.com bob2@example.com],
ial: 'http://idmanagement.gov/ns/assurance/ial/1' } } })
extra: { raw_info: { given_name: 'Bob',
family_name: 'Hoskins',
social_security_number: '1-2-3',
all_emails: %w[bob@example.com bob2@example.com],
ial: 'http://idmanagement.gov/ns/assurance/ial/2' } } })
end
def sign_in
visit '/auth/login_dot_gov/callback'
Expand Down
Loading