You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As part of new security requirements for our application, we are adding some "extra verification" steps to protect actions like changing a password, adding an email address, etc.
For users w/ passwords set this is straightforward - we can just have them reverify their password.
For social signups, however, we aren't quite sure what to do. Ideally we could trigger some "force reauthenticate" behavior where the user has to (you guessed it!) reauthenticate via OAuth with the IdP. Another option would be to require social signups to add 2FA, and then rely on 2FA to be secure and not hijacked for this extra verification.
Is something like this currently possible? What are other people using this library doing for this sort of requirement, out of curiosity?
The text was updated successfully, but these errors were encountered:
I don't think this is a discussion, it is a valid feature request. Also, social only accounts won't play nice with @reauthentication_required() in its current form -- see the TODO there -- so this is something that needs looking into.
I just figured it could be closed because it is encompassed by the reauth efforts that have been discussed. I can see how this is a specific feature upon second read.
As part of new security requirements for our application, we are adding some "extra verification" steps to protect actions like changing a password, adding an email address, etc.
For users w/ passwords set this is straightforward - we can just have them reverify their password.
For social signups, however, we aren't quite sure what to do. Ideally we could trigger some "force reauthenticate" behavior where the user has to (you guessed it!) reauthenticate via OAuth with the IdP. Another option would be to require social signups to add 2FA, and then rely on 2FA to be secure and not hijacked for this extra verification.
Is something like this currently possible? What are other people using this library doing for this sort of requirement, out of curiosity?
The text was updated successfully, but these errors were encountered: