Trivial AAL solution

[LeoMcA]

Work happening here: https://github.com/mozilla/discourse-mozilla-iam/tree/aal

Current behaviour:

• disallows login when AAL too low
• kills sessions when AAL becomes too low (e.g. user gets added to an access group) *
• allows logging in with secondary emails

* currently all sessions are killed, rather than just the affected ones, I'm working on fixing this

┆Issue is synchronized with this Jira Task

[LeoMcA]

Staging is using this branch but there seems to be an auth0 misconfiguration. It could be the auth0-dev creds I have are wrong. The client id is eKCVLtzOkeFX5sRr9MVRrZX9dl2CiVSo.

https://github.com/mozilla-iam/sso-dashboard-configuration/blob/master/apps.yml also needs to be updated to enable AAL: LOW on staging.

[LeoMcA]

Things are working on staging now.

I've identified one bug where all of a user's sessions will be logged off if one of them falls below the required AAL, rather than just the session(s) which have an insufficient AAL. I'll work on fixing that next.

@viorelaioia this should be ready for QA now

[LeoMcA]

allows logging in with secondary emails

I never fully thought this through wrt staff accounts:

• do we even want to allow login with a non staff email on a staff account? (I doubt it)
• if we do, how do we handle users being bounced in/out of staff group

So, reverting the change for now. I'll revisit as part of the post-AAL world improvements.

[hmitsch]

do we even want to allow login with a non staff email on a staff account? (I doubt it)

No, we do not want to allow that kind of login. The basic guideline from InfoSec is: If you are Staff, you have to use Staff LDAP (plus MFA).

Best regards, Henrik

[LeoMcA]

https://discourse.mozilla.org/t/mozilla-discourse-release-2019-02-27/36283