How to enforce re-authentication for sensitive operations?

amaan.cheval1 · March 27, 2017, 12:03pm

Hi

We would like to re-authenticate the user when he does some critical operations.

Best regards

amaanc · March 27, 2017, 12:17pm

This certainly depends on your specific use-case, but we need to make a distinction between simply reauthentication for sensitive operations vs. step-up (i.e. multifactor authentication) for sensitive operations. Both are valid security measures - the former merely requires the end user to re-enter their password, whereas the latter requires them to use a pre-configured means of multifactor authentication as well.

Our docs document the step-up authentication scenario here.

If you require reauthentication, that’s relatively simple too. What you need to do is pass the max_age parameter to our /authorize endpoint - if you use Auth0.js or Lock, this is as simple as setting the max_age parameter in the appropriate options of the library.

The OpenID Connect specification defines max_age here.:

max_age
OPTIONAL. Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to actively re-authenticate the End-User. (The max_age request parameter corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] max_auth_age request parameter.) When max_age is used, the ID Token returned MUST include an auth_time Claim Value.

For example:

 auth0.authorize({
   audience: 'https://mystore.com/api/v2',
   scope: 'read:order write:order',
   responseType: 'token',
   redirectUri: 'https://example.com/auth/callback'
   maxAge: 600
 });

(Note: Auth0.js currently automatically converts camelCased options passed into snake_cased options and that’s behavior we’re relying on in this example. You may need to use max_age instead of maxAge if the library changes!)

With the given options above, your callback URL will receive an auth_time claim within the id_token. You can verify the id_token as usual and then verify that the auth_time is recent enough to qualify as reauthenticating the user.

Sample JWT here.

Warning:

This method assumes you use database connections. External Identity-Providers may or may not support forcing reauthentication. Using prompt=login or prompt=consent is generally a way to indicate an external (social) identity-provider to reauthenticate a user, but Auth0 cannot enforce this.
Please don’t rely on client-side verification (i.e. in the browser, for eg.) of the id_token or auth_time to prevent sensitive operations.