Skip to content

Step up Authentication

Jump to bottom Edit New page
Hans Zandbelt edited this page Dec 1, 2022 · 17 revisions

Since version version 2.3.0rc0 the new directive OIDCUnAutzAction enables step-up authentication scenarios when combined with the following:

  • add OIDCPathAuthRequestParams that is configurable on a per-path basis and use OIDCAuthRequestParams for the static per-provider value
  • add OIDCPathScope that is configurable on a per-path basis and concatenate with OIDCScope as static per-provider value

Sample configuration using acr_values and the acr claim:

<Location /user>
  AuthType openid-connect
  Require claim acr:1factor
  Require claim acr:2factor
  Require valid-user
</Location>

<Location /admin>
  AuthType openid-connect
  Require claim acr:2factor
  OIDCUnAutzAction auth
  OIDCPathAuthRequestParams acr_values=2factor
  Require valid-user
</Location>

Sample using scope:

<Location /user>
  AuthType openid-connect
  Require claim scope:1factor
  Require claim scope:2factor
  Require valid-user
</Location>

<Location /admin>
  AuthType openid-connect
  Require claim scope:2factor
  OIDCUnAutzAction auth
  OIDCPathScope 2factor
  Require valid-user
</Location>

Limitations

Be aware that using OIDCUnAuthzAction will only work when combined with a single Require statement or RequireAll, so using RequireAny and multiple Require statements is not supported! You may be able to get around this by using a single JQ-based complex expression as documented in https://github.com/zmartzone/mod_auth_openidc/wiki/Authorization#complex-expressions

Notes:

  • this setup can lead to infinite redirect loops
  • Session Management refresh with per-path authn request params & scopes is not possible (yet)
  • Apache 2.4 does the authorization-based redirect with a HTML page with a meta refresh tag;
    depending on your Apache version/environment you may need to set ErrorDocument 401 " "
Add a custom footer
Add a custom sidebar

Clone this wiki locally