Step up Authentication

TODO:

Since version version 2.3.0rc0 the new directive OIDCUnAutzAction enables step-up authentication scenarios when combined with the following:

add OIDCPathAuthRequestParams that is configurable on a per-path basis and use OIDCAuthRequestParams for the static per-provider value
add OIDCPathScope that is configurable on a per-path basis and concatenate with OIDCScope as static per-provider value

Note:

this setup can lead to infinite redirect loops
Session Management refresh with per-path authn request params & scopes is not possible (yet)
Apache 2.4 does the authorization-based redirect with a HTML page with a meta refresh tag;
depending on your Apache version/environment you may need to set ErrorDocument 401 " "

Sample configuration using acr_values and the acr claim:

<Location /user>
  AuthType openid-connect
  Require claim acr:1factor
  Require claim acr:2factor
  Require valid-user
</Location>

<Location /admin>
  AuthType openid-connect
  Require claim acr:2factor
  OIDCUnAutzAction auth
  OIDCPathAuthRequestParams acr_values=2factor
  Require valid-user
</Location>

Sample using scope:

<Location /user>
  AuthType openid-connect
  Require claim scope:1factor
  Require claim scope:2factor
  Require valid-user
</Location>

<Location /admin>
  AuthType openid-connect
  Require claim scope:2factor
  OIDCUnAutzAction auth
  OIDCPathScope 2factor
  Require valid-user
</Location>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Step up Authentication

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally