Is there a way to require a user to verify their password for email / password connections? Stripe has a good example of this. If you attempt to make a destructive action like editing a product, deleting a customer etc, you have to confirm your password, essentially log in again, before doing so. Is there a way to achieve this with Auth0? If a user is already logged in and we push them to the universal login, they’ll be immediately redirected back to us because they never logged out.
Thanks for reaching out to the Auth0 Community!
It sounds to me that you are looking to perform Step-Up Authentication for your application.
Step-Up Authentication is a way of asking the user to authenticate again to gain access to specific resources and access control. Then after authenticating they can proceed with these actions.
You may find our documentation on Step-Up Authentication for webapps useful.
Please let me know if you have any further questions.
Hmmm almost, but not quite. Thanks for the resource though, I didn’t know this was a feature. From my understanding, Step-Up Authentication requires a separate authentication method ( e.g. SMS, rotating code, etc ). We really just want the user to authenticate again to confirm they want the action to proceed, especially when it’s a potentially destructive action.
I just wanted to leave this here:
Thanks for sharing that documentation @Ale!
Just to reiterate, you can force reauthentication again by passing the
prompt=login parameter to the authentication request.
Please let me know how this works for you.
Ah perfect, I just stumbled over this also. I think we can make something work with this. It’s a little unfortunate that once the user lands on this page they can actually enter any username / password and also still have the option of creating an account. Maybe there are ways around this using the new universal login experience and hiding some options?
Otherwise I guess we can always verify the users are the same when they return, it’s just a little bit of a funky user experience.
That sounds great! That’s a great point, that the user may see the Sign Up option as well.
If needed, you can remove that Lock Configuration Option by setting the
allowSignUp: false in your Auth0Lock in the Universal Login.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.