-
Notifications
You must be signed in to change notification settings - Fork 327
Step up Authentication
Since version version 2.3.0 the directive OIDCUnAutzAction
enables step-up authentication scenarios when combined with the following:
- add
OIDCPathAuthRequestParams
that is configurable on a per-path basis and useOIDCAuthRequestParams
for the static per-provider value - add
OIDCPathScope
that is configurable on a per-path basis and concatenate withOIDCScope
as static per-provider value
Sample configuration using acr_values
and the acr
claim:
<Location /user>
AuthType openid-connect
Require claim acr:1factor
Require claim acr:2factor
Require valid-user
</Location>
<Location /admin>
AuthType openid-connect
Require claim acr:2factor
OIDCUnAutzAction auth
OIDCPathAuthRequestParams acr_values=2factor
Require valid-user
</Location>
Sample using scope
:
<Location /user>
AuthType openid-connect
Require claim scope:1factor
Require claim scope:2factor
Require valid-user
</Location>
<Location /admin>
AuthType openid-connect
Require claim scope:2factor
OIDCUnAutzAction auth
OIDCPathScope 2factor
Require valid-user
</Location>
Be aware that using OIDCUnAuthzAction auth
will only work when combined with a single Require statement or RequireAll
, so using RequireAny
, multiple Require claim
statements or Require not claim
is not supported (since the first failing condition will start re-authentication)! You may be able to get around this by using a single JQ-based complex expression as documented in https://github.com/zmartzone/mod_auth_openidc/wiki/Authorization#complex-expressions.
Sometimes it may also be possible to use regular expressions to achieve OR semantics with a single Require statement e.g:
Require claim acr~L[234]
OIDCUnAutzAction auth
OIDCPathAuthRequestParams acr_values=L2
Notes:
- this setup can lead to infinite redirect loops when the requested scope/acr_value is not granted
- OpenID Connect Session Management does not work with per-path authn request params & scopes