Step-up authentication trustChallenge/trustToken binding and validation for custom APIs
-
Is there currently any (secure) alternative for using a step-up authentication process which is be required for calling sensitive endpoint on my own API?
I see an example related to calling a built-in FusionAuth API (change-password) using trustChallenge and trustToken, but I'm wondering how to use the same
trustChallenge
+trustToken
verification on my own application (or an alternative approach).My use-case: Let's say I need to force MFA / execute a step-up auth flow before every sensitive operation (e.g. update of sensitive data, transfer of funds, etc.), and that specific MFA/step-up auth must be only valid to that specific operation the user requested.
I need to bind that step-up auth (trustChallenge?) to the operation and validate the related trustToken somehow?References I already checked:
-
@fernando-hellwig Check out this piece of documentation on Step-Up Authentication when you get a chance. It sounds like what you are referring to.
-
@mark-robustelli hi Mark! thanks for sharing the link. Yes, I've seen that and in general it should fit. I'm just looking for more details as my use-case is quite specific.
- execute a step-up auth flow before a sensitive operation (e.g. transfer of funds),
- use that specific step-up auth flow to validate and then execute an specific operation (like a step-up ID binding to the operation the user started)
I need a way of validating that a specific step-up auth is bound to a specific operation. I have seen the description of a use case of using
trustChallenge
andtrustToken
to validate a FusionAuth change password request. This is kind of what I need to do, but on my API endpoints. I'm wondering if it's possible to validatetrustToken
using atrustChallenge
on my own API.e.g.
a. call a sensitive request triggering step-up withtrustChallenge
=1234
b. bind operation withtrustChallenge
c. complete step up and receivetrustToken
d. validatetrustToken
using thetrustChallenge
(this is what I would need to know) and confirm/finalize sensitive operation.