Description
Hello,
I'm very happy that you implemented a force re-authentication feature with the prompt=login param in release 11.x: #1577
But I still miss something: the re-authentication should be "time related" in order to have a forced re-authentication last for a given time.
OpenID has a spec for that with prompt=login + max_age param (see https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest)
I know Passport does not implement OpenID but it looks like you started to dive into it with the prompt=login param...
I also advice you to have a look at how Auth0 handles "re-authentication": https://auth0.com/docs/authenticate/login/max-age-reauthentication. This could be done with a new claim auth_time inside the tokens. I don't know if it's possible to customize tokens provided by Passport.
Globally, my question is: with Passport, how can I force user to re-authenticate if authentication is older than a given time ?
Thanks for your help