Skip to content

Step-up auth: Session expiration based on IdP response

Problem

Currently, our OIDC step-up authentication implementation doesn't handle session expiration.

Without proper expiration handling, step-up authentication sessions might remain valid longer than intended by the identity provider, creating a potential security risk. Users might retain elevated privileges beyond the timeframe authorized by the identity provider.

Fortunately, the identity provider responds with the ID token claim exp (expiration time) when the user has successfully fulfilled the step-up auth challenge. Unfortunately, this ID token claim is currently ignored by the current step-up auth implementation introduced in Step-up auth: Add omniauth step-up auth for adm... (!171643 - merged).

Proposal

Implement a mechanism to expire step-up authentication sessions based on expiration information returned by the identity provider:

  1. During the OIDC authentication flow, extract expiration information from the identity provider's response:
    • Look for standard OIDC ID claims like exp (expiration time) in the ID token
    • Check for custom claims that might indicate expiration intervals (<= this could be done in a separate MR)
  2. Store the calculated expiration timestamp with the user's step-up authentication session
  3. Add a validation check before allowing access to protected resources:
    • Compare current time against the stored expiration timestamp
    • If expired, require the user to perform step-up authentication again
  4. Implement a background job to clean up expired step-up sessions (<= to be discussed)
  5. Add logging for security audit purposes when sessions expire

This implementation will ensure that elevated access privileges granted through step-up authentication align with the identity provider's security policies and expiration requirements.

Implemenation plan

Edited by Gerardo Navarro