[Question] ReAuthenticate user before the security sensitive API call.

[ievgennaida]

trafficstars

I have a sensitive REST API endpoint that I would like user to additionaly pefrom MFA before calling it.

The initial idea was to request additional claim that will cause a login. But incremental flows according to this article are not supported: b2c limitations · AzureAD/microsoft-identity-web Wiki · GitHub

Another article is proposing to check whether second (senstivive) login call was made with a specific argument, that I believe cannot garantee that it's not actually a first call: Forcing reauthentication with Azure AD - Honza’s Blarg (hajekj.net)

I would appreciate any advice on how it should be properly performed.

[HarshaDoddamane]

When user tries to access the Sensitive REST API, Compare the current date time with last auth time, trigger sign-in tech profile.

[ievgennaida]

When user tries to access the Sensitive REST API, Compare the current date time with last auth time, trigger sign-in tech profile.

Thanks for the answer, but what do you mean by "tech profile" when it should be called. At the moment the general idea: Authentication is happening on the frontend for the logged user, REST API is performing token an scopes check.