Skip to content

Step up Authentication

Jump to bottom Edit New page
Hans Zandbelt edited this page Mar 19, 2025 · 17 revisions

Since version version 2.3.0 the directive OIDCUnAutzAction enables step-up authentication scenarios when combined with the following:

  • add OIDCPathAuthRequestParams that is configurable on a per-path basis and use OIDCAuthRequestParams for the static per-provider value
  • add OIDCPathScope that is configurable on a per-path basis and concatenate with OIDCScope as static per-provider value

Sample configuration using acr_values and the acr claim:

<Location /user>
  AuthType openid-connect
  Require claim acr:1factor
  Require claim acr:2factor
  Require valid-user
</Location>

<Location /admin>
  AuthType openid-connect
  Require claim acr:2factor
  OIDCUnAutzAction auth
  OIDCPathAuthRequestParams acr_values=2factor
  Require valid-user
</Location>

Sample using scope:

<Location /user>
  AuthType openid-connect
  Require claim scope:1factor
  Require claim scope:2factor
  Require valid-user
</Location>

<Location /admin>
  AuthType openid-connect
  Require claim scope:2factor
  OIDCUnAutzAction auth
  OIDCPathScope 2factor
  Require valid-user
</Location>

Limitations

Be aware that using OIDCUnAuthzAction auth will only work when combined with a single Require statement or RequireAll, so using RequireAny, multiple Require claim statements or Require not claim is not supported (since the first failing condition will start re-authentication)! You may be able to get around this by using a single JQ-based complex expression as documented in https://github.com/zmartzone/mod_auth_openidc/wiki/Authorization#complex-expressions.

Sometimes it may also be possible to use regular expressions to achieve OR semantics with a single Require statement e.g:

Require claim acr~L[234]
OIDCUnAutzAction auth
OIDCPathAuthRequestParams acr_values=L2

Notes:

  • this setup can lead to infinite redirect loops when the requested scope/acr_value is not granted
  • OpenID Connect Session Management does not work with per-path authn request params & scopes
  • using SSI .shtml pages in ErrorDocument settings on Locations that use step up authentication may lead to inconsistencies in the step up HTML responses produced by Apache (i.e. containing "excessive HTML" in the form of 2 HTML bodies and a misaligned Content-Length header)
Add a custom footer
Add a custom sidebar
Clone this wiki locally