AS-centric AS - Forced user re-authenticate

Use Case Scenario

This scenario is rather complex since it requires many different parts of the authorization server to be configured correctly.

In the end, It will support the following process:

The client starts an authorization code flow to obtain access and refresh token

See AS-centric AS - authorization code flow usage

The client obtains an SSO ticket
The client starts an authorization code flow with

prompt = login to force re-authentication
acr_values set to strong-acr to force strong authentication
SSO ticket to restore the session and skip username/password verification

The user will provide a 2nd factor to complete the authentication
The client will complete the authorization code flow

The important properties of this flow are:

It uses only the authorization code flow.
For authentication, it uses the Loginapp REST UI.
It can force re-authentication with a 2nd factor, regardless of how the user was already authenticated.

Overview

Applications

In this scenario, we will describe a setup with 3 applications:

weak-app - this app will be accessible with username/password only and not require strong authentication

requires one-factor authentication: username/password
is initiated with acr_values = weak-acr

strong-app - this app will be accessible with strong authentication only, either with the full authentication or with SSO ticket/2nd factor authentication

requires two-factor authentication: username/password and mTAN
is initiated with acr_values = strong-acr

Use Cases

The use cases are incremental in their configuration. If you want to try this scenario in full, it is recommended to follow the use cases in order and to test them before proceeding to the next use case:

13.3.2.4.1. Use Case – Weak authentication

13.3.2.4.2. Use Case – Strong authentication

13.3.2.4.3. Use Case – Step-up with SSO ticket