Force social/OAuth reauthentication? #3030
Labels
Comments
|
Close as discussion (even if it is a very important / valid one that touches on multiple open + relevant issues). |
|
I don't think this is a discussion, it is a valid feature request. Also, social only accounts won't play nice with |
|
I just figured it could be closed because it is encompassed by the reauth efforts that have been discussed. I can see how this is a specific feature upon second read. |
|
@pennersr i want to work on this. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As part of new security requirements for our application, we are adding some "extra verification" steps to protect actions like changing a password, adding an email address, etc.
For users w/ passwords set this is straightforward - we can just have them reverify their password.
For social signups, however, we aren't quite sure what to do. Ideally we could trigger some "force reauthenticate" behavior where the user has to (you guessed it!) reauthenticate via OAuth with the IdP. Another option would be to require social signups to add 2FA, and then rely on 2FA to be secure and not hijacked for this extra verification.
Is something like this currently possible? What are other people using this library doing for this sort of requirement, out of curiosity?
The text was updated successfully, but these errors were encountered: