Authentication Freshness TIA Plugin

Authorize the issuance of a scope based on the freshness of the user authentication.

Use Cases#

Authorizing the issuance of scopes based on authentication freshness can be useful for cases where you want to ensure that a user has recently authenticated before allowing certain scopes to be issued in a token. This increases the likeliness of the actual authenticated user being present when the token is issued. In particular, this can be relevant for issuing scopes that allow access to more sensitive operations or resources.

Process#

The Authentication Freshness TIA plugin evaluates the Authentication Attributes to find out the freshness of user authentication. Based on configuration, the plugin can indicate that

the authentication time was within configured bounds (max-age), allowing the scope to be issued
the authentication time was not within configured bounds and the plugin can either deny the issuance of the scope or allow the issuance of the scope but with a condition that user consent is required (on-expired)

Administration

System and Operation

Facilities

Profiles

Developer Guide

Configuration Reference

Authentication Freshness TIA Plugin

Use Cases#

Process#