What Is Re-Authentication?
Re-Authentication is to prompt the user to re-enter their credentials after a certain amount of time to verify their identity and regain access to the system.
Re-Authentication vs Step-Up
How you implement Re-Authentication depends on your specific use-case. Make a distinction between simple Re-Authentication for sensitive operations vs. Step-Up Authentication (i.e. two-factor authentication) for sensitive operations. Both are valid security measures. The former requires the end user to re-enter their password, whereas the latter requires them to use a means of two-factor authentication as well.
How to implement it with OIDC?
Your application initiates a Re-Authentication request by calling the Authorize-endpoint (/connect/authorize) with the parameters below. The value of max_age equals how many minutes ago the user must have authenticated to have to Re-Authenticate. E.g. setting a value of 300 means that if the user Authenticated within the last 5 minutes (300 seconds) the user will not have to Re-Authenticate. Note that a value of 0 (zero) means their entire session will end. The “acr_values” specifies which Identity Provider the user should Re-Authenticate with; the example below is by using Visma Connect password.
&max_age=300&prompt=login&acr_values=urn:idp:vismaconnect:method:pwdIMPORTANT: Note that the Re-Authentication mechanism can be subverted by the end-user simply stripping the parameters as it passes through the web browser.
You need to validate that a fresh Re-Authentication actually took place. To do this your Application must validate the “auth_time”, “acr” and “amr” claims. These claims are included in the ID-token.
If the claim values are not satisfactory your Application must issue another Re-Authentication request.
What Is Step-Up Authentication?
The goal of step-up authentication is to adapt identity requests to the importance of the resource and the risk level if it were to be exposed.
Asking for too little gives your users (or whoever might be posing as them) a dangerous amount of freedom, whereas asking too much, especially up front, creates obtrusive friction.
Step-Up Authentication is a way to strike a balance between security and friction. It ensures users can access some resources with one way of sign-in but will prompt them for another way when they request access to sensitive resources.
For example signing in with only a password, then stepping up later with 2FA.
How to implement it with OIDC?
Your application initiates a Step-Up request by calling the Authorize-endpoint (/connect/authorize) with the parameters below. The value of max_age equals how many minutes ago the user must have authenticated or previously stepped-up to have to Step-Up again. E.g. setting a value of 300 means that if the user Authenticated or Stepped-Up within the last 5 minutes (300 seconds) the user will not have to Step-Up again. Note that a value of 0 (zero) means their entire session will end. The “acr_values” specifies which Identity Provider the user should Step-Up with; the example below is by using Visma Connect 2FA. A user not already enrolled into 2FA will be asked to do so.
&max_age=300&prompt=login&acr_values=urn:idp:vismaconnect:mfaIMPORTANT: Note that the Step-Up mechanism can be subverted by the end-user simply stripping the parameters as it passes through the web browser.
You need to validate that a fresh Step-Up actually took place. To do this your Application must validate the “auth_time”, “acr” and “amr” claims. These claims are included in the ID-token.
If the claim values are not satisfactory your Application must issue another Step-Up request.