-
|
I have an application that allows a user with a "level of trust 1" (delivered in a claim) to use the application but requires a higher level of trust (verified ID) for a specific action. My application is a Javascript frontend with a PHP backend and runs on an apache2 with mod_auth_oidc (obviously :) ) and authenticates with a CoreOne Suite IDP. I can log in and start the LoT2 onboarding process at the IDP if I pass the required claims as a request param to the IDP using OIDCAuthRequestParams "acr_values=#", that works fine. My question now is how do I get mod_auth_oidc to consider my current login to be insufficient and restart the login process while forwarding the required params to the IDP? My current hack is to force a logout, reload the page with a query param and then have my frontend restart the login automatically with the required params, but that looks/feels terrible. I tried having a second URL with a Require claim directive, but that just gives me a "forbidden" response if I am successfulyy logged in but don't have the required claims, it doesn't trigger a "relogin". Any ideas? Maybe I can invalidate the oidc login in my backend and redirect to the same url passing the acr_value sparam, that way triggereing an oidc login process? But how would i do that from within PHP? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
https://github.com/OpenIDC/mod_auth_openidc/wiki/Step-up-Authentication |
Beta Was this translation helpful? Give feedback.
https://github.com/OpenIDC/mod_auth_openidc/wiki/Step-up-Authentication