FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Step-up authentication trustChallenge/trustToken binding and validation for custom APIs

    Scheduled Pinned Locked Moved
    General Discussion
    2
    3
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fernando.hellwig
      last edited by

      Is there currently any (secure) alternative for using a step-up authentication process which is be required for calling sensitive endpoint on my own API?

      I see an example related to calling a built-in FusionAuth API (change-password) using trustChallenge and trustToken, but I'm wondering how to use the same trustChallenge + trustToken verification on my own application (or an alternative approach).

      My use-case: Let's say I need to force MFA / execute a step-up auth flow before every sensitive operation (e.g. update of sensitive data, transfer of funds, etc.), and that specific MFA/step-up auth must be only valid to that specific operation the user requested.
      I need to bind that step-up auth (trustChallenge?) to the operation and validate the related trustToken somehow?

      References I already checked:

      • https://fusionauth.io/community/forum/topic/1720/fusionauth-1-33-0-update-how-to-update-the-password-reset-functionality-for-users-that-have-two-factor-on
      • https://github.com/FusionAuth/fusionauth-issues/issues/1491
      • https://fusionauth.io/docs/apis/login#complete-multi-factor-authentication
      mark.robustelliM 1 Reply Last reply Reply Quote 0
      • mark.robustelliM
        mark.robustelli @fernando.hellwig
        last edited by

        @fernando-hellwig Check out this piece of documentation on Step-Up Authentication when you get a chance. It sounds like what you are referring to.

        F 1 Reply Last reply Reply Quote 0
        • F
          fernando.hellwig @mark.robustelli
          last edited by

          @mark-robustelli hi Mark! thanks for sharing the link. Yes, I've seen that and in general it should fit. I'm just looking for more details as my use-case is quite specific.

          1. execute a step-up auth flow before a sensitive operation (e.g. transfer of funds),
          2. use that specific step-up auth flow to validate and then execute an specific operation (like a step-up ID binding to the operation the user started)

          I need a way of validating that a specific step-up auth is bound to a specific operation. I have seen the description of a use case of using trustChallenge and trustToken to validate a FusionAuth change password request. This is kind of what I need to do, but on my API endpoints. I'm wondering if it's possible to validate trustToken using a trustChallenge on my own API.

          e.g.
          a. call a sensitive request triggering step-up with trustChallenge=1234
          b. bind operation with trustChallenge
          c. complete step up and receive trustToken
          d. validate trustToken using the trustChallenge (this is what I would need to know) and confirm/finalize sensitive operation.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post