Step-Up auth

[jmattheis]

Actions including

• deleting clients,applications
• creating/deleting/modifying users
• changing the password of the current user

Should require step-up auth. Meaning the user has to re authenticate with

• their user password if it's a local user
• the IdP server, if it's a oidc user

This is to ensure that potentially unrecoverable actions are a more secured.

We probably have to add another field to the user to define the last used login method, so we can use this to determine how to re authenticate.

Todos:

• Local user step-up: Add /auth/step-up api which accepts a client-id, and step-up duration e.g. (15m). This endpoint should require basic auth.
• Oidc step up
  • Add step up boolean flag to /auth/oidc/login endpoint, and store it in pending session
  • On /auth/oidc/callback we see the stepup flag and can read the existing session cookie and then do the step up. We'll have to additionally validate that the user of the session and the oidc callback matches.
  • Redirect the user back to the previously open page.

[eternal-flame-AD]

lgtm

Redirect the user back to the previously open page.

I would say just open a new tab for auth, as soon as we know the current session is successfully stepped up, show a confirmation dialog and if the user press yes I would think that is sufficient authorization (similar to GitHub mobile app 2FA). Redirecting feels a little difficult for the current SPA.

[jmattheis]

I think just redirecting is easier, because then we don't need code for checking if the session was stepped up. If it's easier to do the flow in another window I'm not against it (:, as it's better UX.

[eternal-flame-AD]

Ah gotcha, I was thinking more about trying to get the user back to exactly where it was, if you navigated away from the SPA and try to redirect back the state (of the frontend) might be lost. But there aren't too many actions needing this so I'm okay either way.