I’m trying to re-authenticate a user before they do a sensitive operation (e.g. viewing sensitive data). They are already logged in at this point.
I’ve read the answers here and here.
I have a Rails app using the instructions in the Rails quick start guide. I’ve tried adding prompt: 'login' and/or max_age: 60 to the authorize_params as shown here and neither seem to do anything.
When I try to make a user re-authenticate the two calls get called back to back:
- POST “/auth/auth0”
- GET “/auth/auth0/callback”
I’d expect the POST request to bring up the universal login page, and then once the user successfully logs in the GET request would be called. But somehow it knows the user is already logged in and just skips the whole process.
I will note that when I use the New Universal Login, it works correctly (I can force the user to reauthenticate without logging them out first). But when I use the Classic Universal Login experience it doesn’t work at all (I am using the Lock.js implementation). I have to use the Classic login for other reasons, so wanted to confirm that things like prompt=login are supposed to work for Classic?
What would be the correct way to force a user to re-authenticate assuming I am using a Rails app with the Classic Universal login?
Edit: I want to add that I don’t think the POST “/auth/auth0” call makes it to the classic login at all (I have console logging in the classic lock.js widget and nothing appears). It seems to completely skip the universal login experience. Perhaps there is an application setting that I have to change?