josephdecock
commented
1 year ago Note, I think we may want more samples for authz request validator specifically - I didn't end up using it at all in this one.
Closed josephdecock closed 1 year ago
josephdecock
commented
1 year ago Note, I think we may want more samples for authz request validator specifically - I didn't end up using it at all in this one.
brockallen
commented
1 year ago Max age is already checked by the default AIRG: https://github.com/DuendeSoftware/IdentityServer/blob/main/src/IdentityServer/ResponseHandling/Default/AuthorizeInteractionResponseGenerator.cs#L208-L217
brockallen
commented
1 year ago And FWIW, the IAuthorizationMiddlewareResultHandler is only used when the authorization policy runs as part of the UseAuthorization MW. That's why ditched its use in BFF, since people could use policies from any place. Not that it matters here, just more of a note.
brockallen
commented
1 year ago So the last couple of ideas that might be nice for the sample:
1) Detect the acr values and let the user know these are being asked for, even tho the user is already logged in
2) Add a fake MFA page (with just a button even) to show how/where you'd link that in from the login page, and then the button would re-issue the current user session but now with a MFA claim as needed.
josephdecock
commented
1 year ago And FWIW, the IAuthorizationMiddlewareResultHandler is only used when the authorization policy runs as part of the UseAuthorization MW. That's why ditched its use in BFF, since people could use policies from any place. Not that it matters here, just more of a note.
Interesting ... I want to take a look at what the BFF does instead. What am I looking for?
brockallen
commented
1 year ago Interesting ... I want to take a look at what the BFF does instead. What am I looking for?
I've forgotten, but perhaps here?
josephdecock
commented
1 year ago I've forgotten, but perhaps here?
Thanks, that's what I was looking for!
This sample shows how to set acr_values and/or max_age in an api response to trigger api step up. It ultimately uses the interaction response generator to require a new login based on the subject's claims and the acr_values and/or max_age parameters.