Is there a way to do step up Auth?

[pushpabrol]

Say for a particular path MFA should be required. For example if the location is /basic just authentication with username + password is enough but if a user accessed a location such as /special-access force a re authentication with a new redirect to the OP with enough information in the redirect to force a MFA. Once the MFA is complete redirect back to the /special-access location

NOTE: In the case of mod_oidc for apache there is a way with the require claim_expr to be able to do this but unsure of how to do that with lua resty!

[bodewig]

From what I gather from mod_auth_openidc's docs require claim_expr will deny access unless the token contains matching claims. You can achieve the same by custom Lua code that verifies the token returned by openidc.authenticate. The function openidc.jwt_verify together with custom claim validators to lua-resty-jwt (see https://github.com/cdbattags/lua-resty-jwt#jwt-validators ) may help with that.

[pushpabrol]

thanks @bodewig , apologies if I was not clear enough in my question. I think my question was more around how would I force a redirect back to the OP for a specific path. i.e. When I login and access path /basic I already have a session and when I access path /make-transfer I am not redirected back to the OP. How would I force a redirect back to the OP with a new authorization request to the OP on accessing a specific path? In mod oidc for apache you can do it using OIDCUnAutzAction - https://github.com/OpenIDC/mod_auth_openidc/blob/master/auth_openidc.conf#L944C2-L944C18

is there something similar in lua-resty-openidc?

[bodewig]

There is no built-in way to achieve this. as you can not pass custom token validators to authenticate right now. This means you must perform the equivalent of the require with code of your own. The numeric OIDCUnAutzAction equivalents are easily achieved with ngx.exit. In order to simulate auth you could clear the session data and invoke authenticate a second time.