I have the same question as this
but the answer there makes no sense to me.
I want the user to have to reenter their password before being allowed to update certain profile information. They are only allowed to proceed to the edit
screen if the password is correct. I have an Angular SPA that calls our API.
Scenario: We have already obtained a token for calling API. We have a couple of high risk endpoints that we would like to obtain a separate token by re-entering the users password. The token should be short-lived (5 miniutes or so) and have an additional scope
The recommendation is to use
auth_time claim to see when the last authentication was performed. I think this could work. The problem is that the answer seems to contradict itself.
auth_time claim is in the ID Token. ID Tokens should not be passed to my API. However the answer says "Please don’t rely on client-side verification of the
auth_time to prevent sensitive operations.
Also, I don’t see where the password is passed to the authorize end point. I’d
prefer not to redirect the user to the Auth0 login screen but only display a
Another way I was thinking to approach this would be to try to get the token again with the password the user provided and request an additional scope. The API’s endpoint that updates the sensitive profile information would check for the presence of the scope.