fix: correct no tokens redirect

lib/Auth/Process/SwitchAuth.php

@@ -24,7 +24,7 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter
 
     private const SETUP_MFA_URL = 'authswitcher/setupMFA.php';
 
-    public const SETUP_MFA_TPL_URL = 'authswitcher/setup-mfa-tpl.php';
+    public const SETUP_MFA_TPL_URL = 'authswitcher:setup-mfa-tpl.php';
 
     public const PARAM_MFA_REDIRECT_URL = 'mfa_redirect_url';
 
@@ -134,41 +134,33 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter
 
         $usersCapabilities = $this->getMFAForUid($state);
 
-        if (
-            $mfaEnforced && empty($state['Attributes'][AuthSwitcher::MFA_TOKENS]) &&
-            !in_array($this->entityID, $this->mfa_excluded_sps) && !empty($this->setup_mfa_redirect_url)
-        ) {
-            $url = Module::getModuleURL(self::SETUP_MFA_URL);
-            $params = [];
-            $params[self::PARAM_MFA_REDIRECT_URL] = $this->setup_mfa_redirect_url;
-            HTTP::redirectTrustedURL($url, $params);
-        }
+        $upstreamContext = $this->proxyMode ? ProxyHelper::fetchContextFromUpstreamIdp($state) : null;
 
         self::info('user capabilities: ' . json_encode($usersCapabilities));
 
         self::setErrorHandling($state);
 
         if ($this->proxyMode) {
-            $upstreamContext = ProxyHelper::fetchContextFromUpstreamIdp($state);
             self::info('upstream context: ' . $upstreamContext);
             ProxyHelper::recoverSPRequestedContexts($state);
-        } else {
-            $upstreamContext = null;
         }
 
         $this->supported_requested_contexts = $this->authnContextHelper->getSupportedRequestedContexts(
             $usersCapabilities,
             $state,
             $upstreamContext,
-            !$this->check_entropy || $this->checkSfaEntropy($state['Attributes']),
-            $mfaEnforced
+            !$this->check_entropy || $this->checkSfaEntropy($state['Attributes'])
         );
 
         self::info('supported requested contexts: ' . json_encode($this->supported_requested_contexts));
 
         $shouldPerformMFA = !$this->authnContextHelper->MFAin([
                 $upstreamContext,
-            ]) && ($mfaEnforced || $this->authnContextHelper->isMFAprefered($this->supported_requested_contexts));
+            ]) && (
+                $mfaEnforced
+                || empty($this->supported_requested_contexts)
+                || $this->authnContextHelper->isMFAprefered($this->supported_requested_contexts)
+            );
 
         if (
             $this->mfa_preferred_privacyidea_fail
@@ -178,6 +170,26 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter
             throw new Exception(self::DEBUG_PREFIX . 'MFA should be performed but connection to privacyidea failed.');
         }
 
+        if (
+            $shouldPerformMFA
+            && empty($state['Attributes'][AuthSwitcher::MFA_TOKENS])
+            && !empty($this->setup_mfa_redirect_url)
+            && !in_array($this->entityID, $this->mfa_excluded_sps)
+        ) {
+            self::info('user must perform MFA but has no tokens, redirect to setup');
+            $url = Module::getModuleURL(self::SETUP_MFA_URL);
+            $state[self::PARAM_MFA_REDIRECT_URL] = $this->setup_mfa_redirect_url;
+            $stateId = State::saveState($state, 'authswitcher:authswitcher');
+            HTTP::redirectTrustedURL($url, ['stateId' => $stateId]);
+            exit;
+        }
+        if (empty($this->supported_requested_contexts)) {
+            Logger::info(
+                'authswitcher: no requested AuthnContext can be fulfilled: ' . json_encode($requestedContexts)
+            );
+            self::noAuthnContextResponder($state);
+        }
+
         // switch to MFA if enforced or preferred but not already done if we handle the proxy mode
         $performMFA = $this->authnContextHelper->MFAin($usersCapabilities) && $shouldPerformMFA;