Make authentication persist for short duration to prevent duplicate MFA unnecessarily
This requires:
-
GET /authenticate
which takes #308 (closed) to provide options for who you are -
GET /authenticate?profile_url=...
which allows the choice of the authenticators applicable -
POST /authenticate
which, if successful, sets a 5(?) minute JWS with a dynamic secret (on startup) to authenticate the user
then on /consent
it requires the JWS to be valid, and will be sent alongside the consent response
Edited by Jamie Tanna