IdentityServer - Force re-authentication in case of required MFA

[pampua84]

Hi,
I am in a situation where I have to force MFA login on a specific client, so to prevent a pre-authenticated user with username and password from ignoring this second step I have to intercept the amr and if it is pwd send the user to the MFA screen. The discriminant to understand if the client requires mandatory MFA login will be its property. To be able to do this, where is it best to act, do I have to create my own middleware and if so where to 'place' it in the pipe? Do I have to inherit from some specific class or interface ex AuthorizeEndpoint? Can you kindly help me.

[RolandGuijt]

Why isn't it possible to do the MFA when the user is logging in?
Are you using ASP.NET Core Identity to handle logins?

Please understand that this discussion area might not the right place to ask this since this is not specific to any of our products. Our support team might be able to give you some hints but we'll have to leave it to the community to go in-depth.

[pampua84]

I wanted to know if I should intercept the call before the identity server Middleware or in some particular Endpoint, because if it sees the user already logged in it will redirect directly to the client. I don't know if I was clear?

[RolandGuijt]

MFA is typically done during login, not afterwards. Hence my two questions above. Can you please explain why you need this?

[pampua84]

I am in a situation where I need to enforce MFA login on one client but not on another (MFA is per client and not per user). On the first client, I will set a property indicating that the login must be done with MFA. Now, if the user logs in first from the second client, they won't perform MFA (as it is not required). If they then try to log in from the first client (where MFA login is required, amr=otp), since they are already logged in, the login page won't be shown and they will be directly redirected on the client. I am using Asp.Net Core Identity but not its MFA functionality because it does not meet certain security standards (e.g. OTP duration)

[RolandGuijt]

We have an example that does this called "step-up".
To make this client specific the client could pass in a acr_value that should be checked at the identity provider. You would have to look into an interaction response generator.
More information here and here.

[pampua84]

First of all, thank you for the responses. Just to confirm, by using the Step Up Authentication Challenge Protocol, the client directly requests a higher authentication level without me having to set it in the client's properties in the database. When the authorization server receives this request, it displays the MFA page. After the user completes the MFA, the authorization server returns the id_token and access_token with the amr claim set to 'otp' or 'sms'.
The client must check this claim because, at this stage, it is not an external resource but the client itself that requires this type of authentication. Thanks

[AndersAbel]

Yes, using acr to indicate stepup allows the client to control this. That enables a behaviour where the user can login using just user name and password and then require MFA for certain operations. This also, as you note, put the burden of validation on the client.

If this specific client always require MFA, it is probably easier to just adjust the IAuthorizeInteractionResponseGenerator implementation to check the client configuration (i.e. the property). You can still use the step-up sample as a reference, but the IAuthorizeInteractionResponseGenerator implementation could be simplified.