Auth0 Home Blog Docs

Re-Authenticate User before sensitive operations


#1

I have the same question as this

but the answer there makes no sense to me.

What I want to accomplish:

I want the user to have to reenter their password before being allowed to update certain profile information. They are only allowed to proceed to the edit
screen if the password is correct. I have an Angular SPA that calls our API.

Scenario: We have already obtained a token for calling API. We have a couple of high risk endpoints that we would like to obtain a separate token by re-entering the users password. The token should be short-lived (5 miniutes or so) and have an additional scope

The problem with the answer:

The recommendation is to use auth_time claim to see when the last authentication was performed. I think this could work. The problem is that the answer seems to contradict itself.

The auth_time claim is in the ID Token. ID Tokens should not be passed to my API. However the answer says "Please don’t rely on client-side verification of the id_token or auth_time to prevent sensitive operations.

Also, I don’t see where the password is passed to the authorize end point. I’d
prefer not to redirect the user to the Auth0 login screen but only display a
password box.

Another possible solution:

Another way I was thinking to approach this would be to try to get the token again with the password the user provided and request an additional scope. The API’s endpoint that updates the sensitive profile information would check for the presence of the scope.


#2

You can call /authorize with prompt=login (prompt: 'login' if you’re using auth0.js)` and the login box will always appear (even if you’re already logged in).

One other approach would be to login the user with the “default” scopes (let’s say openid email profile) and create scopes for each one of the sensitive operations. Then, when you call your API, the scope won’t be there and you should redirect to the login page with the scope you created. This will also trigger a new login, because you’re adding more scopes to mix.

Does that solve your issue?