How to set max_age on a per request basis?

[nlfiedler]

Due to application requirements, we want to selectively require (re)authentication of the user, and setting max_age to 0 seems a splendid way to do that. However, we want to do this on a per-request basis. Using node-openid-client, is there a way we could do that? It seems like the only way to set max_age at all is using the options argument to authenticate(), which is not related to the request, so it is an all or nothing option.

Basically I'm looking for per-request options, but it doesn't look like that is supported.

P.S. I'm using the passport strategy, forgot to mention that sooner. P.P.S. The SAML passport strategy supports a callback to get the options, which is akin to what I would like here.

[panva]

It seems like the only way to set max_age at all is using the options argument to authenticate(), which is not related to the request, so it is an all or nothing option.

First of all its not the only way. Second of all it is the per-request of doing so, it’s just a matter of how you call it. Please search the issue tracker for passport you’ll find some code snippets for sure.

Can you link the actual saml passport strategy?

[big-kahuna-burger]

@panva I think OP is refering to bergie's passport-saml and more specifically to MultiSamlStrategy. https://github.com/bergie/passport-saml/blob/ce5351d59f07569534c15dfe8b0d29e3eda0461f/multiSamlStrategy.js

[panva]

yeah, so its just built in what one can do with a wrapper around authenticate himself?

[big-kahuna-burger]

Yeah, I think example of how to achieve this will help the OP. Let me try to compose example gist for it.

[panva]

Something to this end likely?

app.get('/auth', function (req, res, next) {
  const options = { /* ... */ };
  passport.authenticate('oidc', options)(req, res, next);
});

[big-kahuna-burger]

Yep, kind of :)

[nlfiedler]

That is excellent, thank you. It did not occur to me to call authenticate() in that manner, but of course that makes sense now that I see it.