NamedExecand change unit tests for this. If it solves my connection issue, I will send a PR.
I have to implement "Re-enter password" feature for some critical user actions in my product. For example in Github, if you are deleting a repo, it asks for a password again as a security measure. To implement such a feature in authn, here are my thoughts:
1) Allow go-authn to extract
iat as well as
iat is "issued at" for JWT.
iat to determine if the token was generated before 5 mins ago (configurable). If it was, return 401 compelling frontend to pop up a password screen.
3) New token is generated and the security critical request is sent again. This time iat check would pass.
My concern is that if refresh token is used to request a new jwt, is
iat refreshed? If that is the case then a malicious client can request a new token using refresh token without password. If this is the case do you have any ideas on how to implement such a feature?
possible solutions include:
1) backend returns a unique error code in this situation
2) frontend can inspect
auth_time to determine the cause
3) frontend has different code paths in this event and can naturally show a different UX
Sorry for the late reply. I had to drop this feature for something more urgent. I am starting my work on this now and once we have something in production I will send you a brief description of our implementation.
As for not being able to distinguish between "not logged in" and "must re-verify", since this restriction will apply to only some ajax calls, only those ajax calls will trigger a popup asking for password. We can even add a "Login again" link at the bottom of the popup, in case user wants to login with a different username. For our use case, I dont think this would matter.
How does the backend know where to send the token in step 3?
In docs you have steps 6-7 in registration process, it's the same, backend needs user profile (email) to finish registration.
It's much simpler if we have
USERNAME_IS_EMAIL, so backend may retrieve
username (email) from Authn.
usernameis not email than it's upon backend to decide by
username how to deliver token (maybe it's not even email).