1

At my company we have a central auth server running IdentityServer. There are a number of applications providing some API to client applications. API requests are authenticated with JWT tokens issued by said auth server. It works fine for our purposes.

We have a new requirement that basically needs a secondary verification for some actions.
Scenario goes like this:

  • User logs into an app.
  • User wants to perform an action that requires elevated access and he is asked to confirm the action.
  • User enters a one time password from TOTP/SMS
  • Intent is confirmed and API responds to action.

Ihe implementation I have in mind is as follows:

  • API gets a request, checks JWT amr claim, sees no otp, returns 401 Unauthorized/403 Forbidden with WWW-Authenticate: mfa (or something along those lines) and a unique id for action
  • App gets 401 response and notices it needs to verify the action with OTP, then redirects to auth server with given id
  • Auth server verifies OTP and returns a new but short-lived JWT (with amr=otp) that only authorizes said action
  • App uses this JWT to resend the request to API
  • API performs restricted action
  • App continues using regular JWT (discards JWT used for OTP)

Now my question is, do you think this is a valid/good approach? Are there better ways of handling this operation?

Improve this question

1 Answer 1

Reset to default
0

This approach seems a good one to me. However, there might be some remarks to take into account:

  1. The extra roundtrip to the auth server causes extra traffic and the extra administration (unique ID for the action to be authorized) might take a lot of effort to implement. So make sure that this is really needed for the action to protect.
  2. You have to make sure that the OTP (One-time Password) is indeed only valid to access the authorized action for only one time. So you might have to add extra administration to this API to make sure that the JWT token with the OTP is not used again (e.g. because the JWT with OTP is copied/stolen somewhere at client side). Only discarding the JWT is not enough.
Improve this answer
1
  • adressing (2): Making the token shortlived would minimize the administrative effort. Commented Oct 15, 2021 at 11:53

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.