Scenario: I have a logged in user (i.e. got a valid token for a user) and the user wants to perform some potentially dangerous operation in my app. I am also using refresh tokens so the user maybe didn’t enter the password for a long time. Normally, I would ask him to enter the password for proceeding. This ensures me that it is not someone passing by that found a browser left open. How can I check if the entered password is valid with Auth0? Do I reuse the “/outh/ro” endpoint? What is the suggested method? Thanks!
Both the /oauth/ro and the newer /oauth/token endpoints (with the password grant type) are valid options if the underlying identity provider supports active authentication (i.e. your application collecting the user’s credentials and sending them to the IdP). For example, you can use this for Auth0’s database connections, but it will not be possible for social connections (like Google or Facebook).
The suggested method, however, and one that does not require the trust level to clients that the password grant type implies, would be to use the max_age parameter in an authentication call. Support for this will be coming to Auth0, so stay tuned.