Reauthentication for Sensitive functionality ( Step-up authentication)

sachithra · October 27, 2021, 9:00am

In my application, there are some sensitive functionalities that could perform by all types of users. What I wanted is whether the user has an active keycloak session to access the application to perform the above sensitive functionalities, verify the user again using their password. By authenticating what I expect is to ensure that mentioned sensitive functionality is performed by the legitimate user. Does keycloak has such reauthenticate functionality built-in?

reference: Require Re-authentication for Sensitive Features of Authentication - OWASP Cheat Sheet Series

xgp · October 27, 2021, 9:08am

Assuming you’re using OIDC, you can do a redirect to the login with prompt=login set, which will force the user to re-authenticate.

dasniko · October 27, 2021, 9:41am

The step-up auth feature is currently under discussion and will hopefully be integrated soon. There are a lot of people waiting for this:

Issue: [KEYCLOAK-847] Step-up Authentication - Red Hat Issue Tracker
PR + current discussions: KEYCLOAK-847 Add support for step up authentication by CorneliaLahnsteiner · Pull Request #7897 · keycloak/keycloak · GitHub

Topic		Replies	Views
Additional authentication step for sensitive operations Getting advice	2	1135	March 2, 2022
Force re-authentication with prompt=login or max_age=0 : does not work Securing applications authentication , oidc	1	5623	May 28, 2021
Step-Up authentication combined with RequiredAction maxAuthAge	0	238	February 5, 2024
Re-authenticate a user when trying to have access to a specific resource (URL) Getting advice authentication , oidc	1	667	January 16, 2020
Kerberos & step-up mechanism Extending the server	0	414	July 13, 2022

Reauthentication for Sensitive functionality ( Step-up authentication)

Related topics