Forced user re-authenticate

Use Case Scenario

This scenario is rather complex since it requires many different parts of the authorization server to be configured correctly.

In the end, It will support the following process:

  1. The client starts an authorization code flow to obtain access and refresh token
    1. See Authorization code flow usage
  2. The client obtains an SSO ticket
  3. The client starts an authorization code flow with
    1. prompt = login to force re-authentication
    2. acr_values set to strong-acr to force strong authentication
    3. SSO ticket to restore the session and skip username/password verification
  4. The user will provide a 2nd factor to complete the authentication
  5. The client will complete the authorization code flow

The important properties of this flow are:

  • It uses only the authorization code flow.
  • For authentication, it uses the Loginapp UI.
  • It can force re-authentication with a 2nd factor, regardless of how the user was already authenticated.



In this scenario, we will describe a setup with 3 applications:

  • weak-app - this app will be accessible with username/password only and not require strong authentication
    • requires one-factor authentication: username/password
    • is initiated with acr_values = weak-acr
  • strong-app - this app will be accessible with strong authentication only, either with the full authentication or with SSO ticket/2nd factor authentication
    • requires two-factor authentication: username/password and mTAN
    • is initiated with acr_values = strong-acr