Step-Up auth

[jmattheis]

Actions including

• deleting clients,applications
• creating/deleting/modifying users
• changing the password of the current user

Should require step-up auth. Meaning the user has to re authenticate with

• their user password if it's a local user
• the IdP server, if it's a oidc user

This is to ensure that potentially unrecoverable actions are a more secured.

We probably have to add another field to the user to define the last used login method, so we can use this to determine how to re authenticate.

Todos:

• Local user step-up: Add /auth/step-up api which accepts a client-id, and step-up duration e.g. (15m). This endpoint should require basic auth.
• Oidc step up
  • Add step up boolean flag to /auth/oidc/login endpoint, and store it in pending session
  • On /auth/oidc/callback we see the stepup flag and can read the existing session cookie and then do the step up. We'll have to additionally validate that the user of the session and the oidc callback matches.
  • Redirect the user back to the previously open page.