diff --git a/identity/credentials.go b/identity/credentials.go index cebf80cee17a..74b6857ef124 100644 --- a/identity/credentials.go +++ b/identity/credentials.go @@ -31,7 +31,6 @@ const ( NoAuthenticatorAssuranceLevel AuthenticatorAssuranceLevel = "aal0" AuthenticatorAssuranceLevel1 AuthenticatorAssuranceLevel = "aal1" AuthenticatorAssuranceLevel2 AuthenticatorAssuranceLevel = "aal2" - AuthenticatorAssuranceLevel3 AuthenticatorAssuranceLevel = "aal3" ) // CredentialsType represents several different credential types, like password credentials, passwordless credentials, diff --git a/identity/credentials_test.go b/identity/credentials_test.go index d6d570f8c22d..2f7590f5e710 100644 --- a/identity/credentials_test.go +++ b/identity/credentials_test.go @@ -28,8 +28,6 @@ func TestCredentialsEqual(t *testing.T) { func TestAALOrder(t *testing.T) { assert.True(t, NoAuthenticatorAssuranceLevel < AuthenticatorAssuranceLevel1) assert.True(t, AuthenticatorAssuranceLevel1 < AuthenticatorAssuranceLevel2) - assert.True(t, AuthenticatorAssuranceLevel1 < AuthenticatorAssuranceLevel3) - assert.True(t, AuthenticatorAssuranceLevel2 < AuthenticatorAssuranceLevel3) } func TestParseCredentialsType(t *testing.T) { diff --git a/session/manager_http.go b/session/manager_http.go index 29b17894750a..0161fb9a15d4 100644 --- a/session/manager_http.go +++ b/session/manager_http.go @@ -226,13 +226,6 @@ func (s *ManagerHTTP) FetchFromRequest(ctx context.Context, r *http.Request) (_ } expand := identity.ExpandDefault - if s.r.Config().SessionWhoAmIAAL(r.Context()) == config.HighestAvailableAAL { - // When the session endpoint requires the highest AAL, we fetch all credentials immediately to save a - // query later in "DoesSessionSatisfy". This is a SQL optimization, because the identity manager fetches - // the data in parallel, which is a bit faster than fetching it in sequence. - expand = identity.ExpandEverything - } - se, err := s.r.SessionPersister().GetSessionByToken(ctx, token, ExpandEverything, expand) if err != nil { if errors.Is(err, herodot.ErrNotFound) || errors.Is(err, sqlcon.ErrNoRows) { @@ -277,6 +270,11 @@ func (s *ManagerHTTP) DoesSessionSatisfy(r *http.Request, sess *Session, request ctx, span := s.r.Tracer(r.Context()).Tracer().Start(r.Context(), "sessions.ManagerHTTP.DoesSessionSatisfy") defer otelx.End(span, &err) + // If we already have AAL2 there is no need to check further because it is the highest AAL. + if sess.AuthenticatorAssuranceLevel > identity.AuthenticatorAssuranceLevel1 { + return nil + } + managerOpts := &options{} for _, o := range opts { diff --git a/session/test/persistence.go b/session/test/persistence.go index 0dbd746c49c7..d2a37837c7e9 100644 --- a/session/test/persistence.go +++ b/session/test/persistence.go @@ -114,12 +114,12 @@ func TestPersister(ctx context.Context, conf *config.Config, p interface { }) t.Run("case=update session", func(t *testing.T) { - expected.AuthenticatorAssuranceLevel = identity.AuthenticatorAssuranceLevel3 + expected.AuthenticatorAssuranceLevel = identity.AuthenticatorAssuranceLevel1 require.NoError(t, p.UpsertSession(ctx, &expected)) actual, err := p.GetSessionByToken(ctx, expected.Token, session.ExpandDefault, identity.ExpandDefault) check(actual, err) - assert.Equal(t, identity.AuthenticatorAssuranceLevel3, actual.AuthenticatorAssuranceLevel) + assert.Equal(t, identity.AuthenticatorAssuranceLevel1, actual.AuthenticatorAssuranceLevel) }) t.Run("case=remove amr and update", func(t *testing.T) {