Hi
We would like to re-authenticate the user when he does some critical operations.
Best regards
Hi
We would like to re-authenticate the user when he does some critical operations.
Best regards
This certainly depends on your specific use-case, but we need to make a distinction between simply reauthentication for sensitive operations vs. step-up (i.e. multifactor authentication) for sensitive operations. Both are valid security measures - the former merely requires the end user to re-enter their password, whereas the latter requires them to use a pre-configured means of multifactor authentication as well.
Our docs document the step-up authentication scenario here.
If you require reauthentication, that’s relatively simple too. What you need to do is pass the max_age
parameter to our /authorize
endpoint - if you use Auth0.js or Lock, this is as simple as setting the max_age
parameter in the appropriate options of the library.
The OpenID Connect specification defines max_age
here.:
max_age
OPTIONAL. Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to actively re-authenticate the End-User. (The max_age request parameter corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] max_auth_age request parameter.) When max_age is used, the ID Token returned MUST include an auth_time Claim Value.
For example:
auth0.authorize({
audience: 'https://mystore.com/api/v2',
scope: 'read:order write:order',
responseType: 'token',
redirectUri: 'https://example.com/auth/callback'
maxAge: 600
});
(Note: Auth0.js currently automatically converts camelCased options passed into snake_cased options and that’s behavior we’re relying on in this example. You may need to use max_age
instead of maxAge
if the library changes!)
With the given options above, your callback URL will receive an auth_time
claim within the id_token
. You can verify the id_token
as usual and then verify that the auth_time
is recent enough to qualify as reauthenticating the user.
Warning:
prompt=login
or prompt=consent
is generally a way to indicate an external (social) identity-provider to reauthenticate a user, but Auth0 cannot enforce this.id_token
or auth_time
to prevent sensitive operations.