Forced re-authentication
13.3.2.4. AS-centric AS - Forced user re-authenticate

Use Case Scenario

This scenario is rather complex since it requires many different parts of the authorization server to be configured correctly.

In the end, It will support the following process:

  • 1.
    The client starts an authorization code flow to obtain access and refresh token
  • 2.
    The client obtains an SSO ticket
  • 3.
    The client starts an authorization code flow with
    • a)
      prompt = login to force re-authentication
    • b)
      acr_values set to strong-acr to force strong authentication
    • c)
      SSO ticket to restore the session and skip username/password verification
  • 4.
    The user will provide a 2nd factor to complete the authentication
  • 5.
    The client will complete the authorization code flow

The important properties of this flow are:

  • It uses only the authorization code flow.
  • For authentication, it uses the Loginapp REST UI.
  • It can force re-authentication with a 2nd factor, regardless of how the user was already authenticated.

Overview

Applications

In this scenario, we will describe a setup with 3 applications:

  • weak-app - this app will be accessible with username/password only and not require strong authentication
    • requires one-factor authentication: username/password
    • is initiated with acr_values = weak-acr
  • strong-app - this app will be accessible with strong authentication only, either with the full authentication or with SSO ticket/2nd factor authentication
    • requires two-factor authentication: username/password and mTAN
    • is initiated with acr_values = strong-acr

Use Cases

The use cases are incremental in their configuration. If you want to try this scenario in full, it is recommended to follow the use cases in order and to test them before proceeding to the next use case: