search

manfredsteyer / angular-oauth2-oidc

Support for OAuth 2 and OpenId Connect (OIDC) in Angular.
MIT License
1.88k stars 686 forks source link

support for electronic signature #933

Open ghost opened 4 years ago

ghost commented 4 years ago

I am looking into using angular-oauth2-oidc for our angular web application.

In our application we need to re-authenticate the user for certain critical actions (electronic signature) despite the fact that the application has still a valid session (i.e. token) for this user. This re-authentication should not have any impact on the ongoing session of the application, but should just ensure that the user must proof its identity again, and report back some user information identifying the user.

To my understanding OIDC would support this by using the authentication endpoint with query parameter promt=login or max_time=0 or so...

I could not find a method in your library supporting this, like e.g.

authenticate({promt: 'login'}): promise;

although, your library must all have in place to provide this easily.

Is there a way to do this with your library? If no, would you consider adding something like this?

jeroenheijmans commented 4 years ago

Could you elaborate which part of the OIDC spec you're referring to? This library supports (the now deprecated) Implicit Flow as well as Code Flow with PKCE. I suppose you could reconfigure the lib to at some point re-login with a broader set of scopes if that's what you mean?

Other than that, I'm not sure what you're exactly after - but maybe some other community member might?

ghost commented 4 years ago

I am referring to https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest request parameter prompt and max_age

We are using the code flow with PKCE.

This is not about logging in again. This is about proofing your identity before very specific actions. Like in a banking application despite being logged in already, needing to re-authenticate before being able to execute a money transfer. You typically need to do this each time ...

The important thing is,

  1. that any valid session, your authentication mechanism has in place, say a browser cookie, shall be ignored (hence prompt = login or max_age = 0).
  2. that the access token returned is used only for this action, but the application itself can continue with the old token. The new access token is just granting this very specific action.

It would be nice, if angular-oauth2-oidc would support this somehow - i.e. just to get new tokens via all supported flows without touching the tokens already stored. The login dialog should probably happen in a iframe or so, since the application state should not be destroyed ...

I guess, everything you need is already in you library, just not exposed ...

jeroenheijmans commented 4 years ago

On a high level I kinda see what you mean. I'll tag the issue appropriately. I'm not sure about follow up or concrete stuff to get this rolling though, and it might be out of scope for the lib, not sure.

muhammedmisir commented 1 year ago

Is there any update for this ?

sylvietseng commented 1 year ago

I found a way to add custom parameter (such as prompt=login) in auth url:

https://manfredsteyer.github.io/angular-oauth2-oidc/docs/additional-documentation/custom-query-parameters.html