Hello,
I'm very happy that you implemented a force re-authentication feature with the prompt=login param in release 11.x: #1577

But I still miss something: the re-authentication should be "time related" in order to have a forced re-authentication last for a given time.

OpenID has a spec for that with prompt=login + max_age param (see https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest)

I know Passport does not implement OpenID but it looks like you started to dive into it with the prompt=login param...

I also advice you to have a look at how Auth0 handles "re-authentication": https://auth0.com/docs/authenticate/login/max-age-reauthentication. This could be done with a new claim auth_time inside the tokens. I don't know if it's possible to customize tokens provided by Passport.

Globally, my question is: with Passport, how can I force user to re-authenticate if authentication is older than a given time ?

Thanks for your help

@hafezdivandari can you answer this?

This could be done with a new claim auth_time inside the tokens. I don't know if it's possible to customize tokens provided by Passport.

AFAIK adding custom claims to JWT tokens are not supported right now. Here is the related issue: #94, and this is the related PR on oauth2-server repo: thephpleague/oauth2-server#1122

@driesvints what you think about adding Passport::useAccessTokenEntity() to override \Laravel\Passport\Bridge\AccessToken class? Then the user will be able to override convertToJWT method and add their own custom claims.

It seems that I can achieve something with the help of this extension https://github.com/corbosman/laravel-passport-claims to add custom claims to Passport tokens.

I will be able to compare the auth_time token claim with a database stored last login time to evaluate freshness of auth.

It would be great if Passport had such a built-in feature.

Okay, since you found a workaround I'm going to close this. Let's see how the PR goes as well.