Step-up auth: Security assessment for cross-request vulnerability

A potential security vulnerability has been identified in the step-up authentication flow where simultaneous authentication requests could lead to privilege escalation.

Current Behavior

When a user initiates multiple authentication requests (e.g., admin mode and group access) in different browsers before completing IDP authentication, the system:

1. Accepts a single IDP authentication for both requests
2. Applies the same authentication level across different security contexts
3. May grant higher privileges (admin mode) with lower security requirements

Security Impact

• Authentication conditions meant for different security levels (admin vs. group access) are not properly segregated
• Users could potentially gain admin access by authenticating at a lower security level than required
• The system fails to enforce distinct authentication requirements for different privilege levels

Steps to Reproduce

1. Open Browser A and request step-up authentication for admin mode
2. Before completing IDP authentication, open Browser B
3. In Browser B, request authentication for group access (with lower authentication requirements)
4. Complete IDP authentication
5. Observe that both requests (admin mode and group access) are authenticated
6. Now the use can access step-up authenticated admin mode and the group scope

Expected Behavior

• Each authentication request should maintain its own separate security context
• Higher privilege levels (admin mode) should enforce their specific authentication requirements
• Authentication for one security level should not automatically grant access to other security levels

Additional Notes

This issue requires immediate assessment to determine the severity of the security implications and potential mitigation strategies.