Our Web app includes a feature called privilege escalation where a user may remain online but will require to confirm his password for certain sensitive operations.
I was trying to use the Resource Owner flow to provide this feature, but I can’t seem to make it work with our configuration. We use Enterprise → Google Apps as our connection.
When I try to configure the default connection for our account, I get this error:
Invalid connection name ourdomain-com. Expected name of a connection with strategy being: auth0-adldap,ad,auth0,email,sms,waad,adfs
Is anybody able to help?
What you’re trying to accomplish is not supported through the resource owner password credentials grant. As mentioned in the documentation this grant is available only for connection capable of performing direct authentication with just username and password:
Keep in mind that only connections capable of authenticating users via username and password can be used (i.e. database connections, AD, LDAP, Windows Azure AD, ADFS)
Google Apps connection is not supported and if I’m not mistaken Google does not support a way for you to request that the user needs to input credentials again and as such performing a redirect-based authentication request may just end-up in Google reusing the existing session which is kind of a noop for what you’re trying to do. At least this is what happens with Google social connection, but I’m not sure if Google Apps would be any different.
As an additional alternative you could consider doing Step-Up Authentication with a second factor instead of asking again for the initial factor.
If I enable MFA it seems that it will be applied to every sign-in request. How would I proceed to request the one-time-password only at specific situations?
If I enable MFA it seems that it will be applied to every sign-in request. How would I proceed to request the one-time-password only at specific situations?
You can control for whom/when MFA is required, for example these docs show a possible way to enable it only for certain users and that is through a rule so you could apply any conditional logic you would need alongside the concepts documented in the step-up authentication page.