Right now the OAuth server will happily generate an OAuth code for a session that does not have 2FA verification even if it was requested. The onus is upon the relier to check the acr_values in the id_token to ensure 2FA was used. In the content server, we have no way of checking whether 2FA was used for the given session and can't prompt the user to enter a TOTP code for that session.
We could make it so that the OAuth server errors if the session used to generate the OAuth code is not 2FA verified and 2FA is requested. To the POST /authorization endpoint, add an acr_values query param, check the fxa_aal claim in the assertion, error if no match. If the call to /authorization fails, the content server could then either prompt the user to enable 2FA (if not enabled) or verify via 2FA (if enabled).
In support of #520 with further conversation in https://github.com/mozilla/addons/issues/732.
Right now the OAuth server will happily generate an OAuth code for a session that does not have 2FA verification even if it was requested. The onus is upon the relier to check the acr_values in the id_token to ensure 2FA was used. In the content server, we have no way of checking whether 2FA was used for the given session and can't prompt the user to enter a TOTP code for that session.
We could make it so that the OAuth server errors if the session used to generate the OAuth code is not 2FA verified and 2FA is requested. To the POST /authorization endpoint, add an acr_values query param, check the fxa_aal claim in the assertion, error if no match. If the call to /authorization fails, the content server could then either prompt the user to enable 2FA (if not enabled) or verify via 2FA (if enabled).