lua-resty-openidc icon indicating copy to clipboard operation
lua-resty-openidc copied to clipboard

Published 20 hours ago verified publisher icon zmartzone

Redirect back after scope validation failure

Open lewismoore10100 opened this issue 1 year ago • 1 comments

Question related to token validation:

In the example given:

if res.scope ~= "edit" then
  ngx.exit(ngx.HTTP_FORBIDDEN)
end

How would the user be redirect back to relevant openid-connect/auth end point when the above scope validation fail? The above example simply returns forbidden back to user which isn't actionable.

For context at our organisation we have a different scope depending on if 2FA login is required or not. Therefore sometimes the users are issued non-2FA JWT token, and I would like to force the user to login with 2FA. So ideally I'd like to validate the token, and if non-2FA scope is present, force a redirect back to openid (with the correct scope) to allow login with 2FA.

lewismoore10100 avatar Jan 16 '24 14:01 lewismoore10100

One way would be to create a new opts table with the necessary scope values plus force_reauthorize=true and then invoke authenticate again.

bodewig avatar Aug 25 '24 09:08 bodewig