How to handle forced re-authentication after a given time ?
franck-grenier opened this issue · comments
Hello,
I'm very happy that you implemented a force re-authentication feature with the prompt=login
param in release 11.x: #1577
But I still miss something: the re-authentication should be "time related" in order to have a forced re-authentication last for a given time.
OpenID has a spec for that with prompt=login
+ max_age
param (see https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest)
I know Passport does not implement OpenID but it looks like you started to dive into it with the prompt=login
param...
I also advice you to have a look at how Auth0 handles "re-authentication": https://auth0.com/docs/authenticate/login/max-age-reauthentication. This could be done with a new claim auth_time
inside the tokens. I don't know if it's possible to customize tokens provided by Passport.
Globally, my question is: with Passport, how can I force user to re-authenticate if authentication is older than a given time ?
Thanks for your help
@hafezdivandari can you answer this?
This could be done with a new claim
auth_time
inside the tokens. I don't know if it's possible to customize tokens provided by Passport.
AFAIK adding custom claims to JWT tokens are not supported right now. Here is the related issue: #94, and this is the related PR on oauth2-server repo: thephpleague/oauth2-server#1122
@driesvints what you think about adding Passport::useAccessTokenEntity()
to override \Laravel\Passport\Bridge\AccessToken
class? Then the user will be able to override convertToJWT
method and add their own custom claims.
It seems that I can achieve something with the help of this extension https://github.com/corbosman/laravel-passport-claims to add custom claims to Passport tokens.
I will be able to compare the auth_time
token claim with a database stored last login time to evaluate freshness of auth.
It would be great if Passport had such a built-in feature.
Okay, since you found a workaround I'm going to close this. Let's see how the PR goes as well.