How to handle forced re-authentication after a given time ? #1637
Comments
|
@hafezdivandari can you answer this? |
franck-grenier
changed the title
AFAIK adding custom claims to JWT tokens are not supported right now. Here is the related issue: #94, and this is the related PR on oauth2-server repo: thephpleague/oauth2-server#1122 @driesvints what you think about adding |
|
It seems that I can achieve something with the help of this extension https://github.com/corbosman/laravel-passport-claims to add custom claims to Passport tokens. I will be able to compare the It would be great if Passport had such a built-in feature. |
|
Okay, since you found a workaround I'm going to close this. Let's see how the PR goes as well. |
Hello,
I'm very happy that you implemented a force re-authentication feature with the
prompt=loginparam in release 11.x: #1577But I still miss something: the re-authentication should be "time related" in order to have a forced re-authentication last for a given time.
OpenID has a spec for that with
prompt=login+max_ageparam (see https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest)I know Passport does not implement OpenID but it looks like you started to dive into it with the
prompt=loginparam...I also advice you to have a look at how Auth0 handles "re-authentication": https://auth0.com/docs/authenticate/login/max-age-reauthentication. This could be done with a new claim
auth_timeinside the tokens. I don't know if it's possible to customize tokens provided by Passport.Globally, my question is: with Passport, how can I force user to re-authenticate if authentication is older than a given time ?
Thanks for your help
The text was updated successfully, but these errors were encountered: