search

zmartzone / lua-resty-openidc

OpenID Connect Relying Party and OAuth 2.0 Resource Server implementation in Lua for NGINX / OpenResty
Apache License 2.0
963 stars 247 forks source link

Redirect back after scope validation failure #506

Open lewismoore10100 opened 8 months ago

lewismoore10100 commented 8 months ago

Question related to token validation:

In the example given:

if res.scope ~= "edit" then
  ngx.exit(ngx.HTTP_FORBIDDEN)
end

How would the user be redirect back to relevant openid-connect/auth end point when the above scope validation fail? The above example simply returns forbidden back to user which isn't actionable.

For context at our organisation we have a different scope depending on if 2FA login is required or not. Therefore sometimes the users are issued non-2FA JWT token, and I would like to force the user to login with 2FA. So ideally I'd like to validate the token, and if non-2FA scope is present, force a redirect back to openid (with the correct scope) to allow login with 2FA.

bodewig commented 3 weeks ago

One way would be to create a new opts table with the necessary scope values plus force_reauthorize=true and then invoke authenticate again.