FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login
    1. Home
    2. fernando.hellwig
    3. Posts
    F
    • Profile
    • Following 0
    • Followers 0
    • Topics 1
    • Posts 2
    • Best 0
    • Controversial 0
    • Groups 0

    Posts made by fernando.hellwig

    • RE: Step-up authentication trustChallenge/trustToken binding and validation for custom APIs

      @mark-robustelli hi Mark! thanks for sharing the link. Yes, I've seen that and in general it should fit. I'm just looking for more details as my use-case is quite specific.

      1. execute a step-up auth flow before a sensitive operation (e.g. transfer of funds),
      2. use that specific step-up auth flow to validate and then execute an specific operation (like a step-up ID binding to the operation the user started)

      I need a way of validating that a specific step-up auth is bound to a specific operation. I have seen the description of a use case of using trustChallenge and trustToken to validate a FusionAuth change password request. This is kind of what I need to do, but on my API endpoints. I'm wondering if it's possible to validate trustToken using a trustChallenge on my own API.

      e.g.
      a. call a sensitive request triggering step-up with trustChallenge=1234
      b. bind operation with trustChallenge
      c. complete step up and receive trustToken
      d. validate trustToken using the trustChallenge (this is what I would need to know) and confirm/finalize sensitive operation.

      posted in General Discussion
      F
      fernando.hellwig
    • Step-up authentication trustChallenge/trustToken binding and validation for custom APIs

      Is there currently any (secure) alternative for using a step-up authentication process which is be required for calling sensitive endpoint on my own API?

      I see an example related to calling a built-in FusionAuth API (change-password) using trustChallenge and trustToken, but I'm wondering how to use the same trustChallenge + trustToken verification on my own application (or an alternative approach).

      My use-case: Let's say I need to force MFA / execute a step-up auth flow before every sensitive operation (e.g. update of sensitive data, transfer of funds, etc.), and that specific MFA/step-up auth must be only valid to that specific operation the user requested.
      I need to bind that step-up auth (trustChallenge?) to the operation and validate the related trustToken somehow?

      References I already checked:

      • https://fusionauth.io/community/forum/topic/1720/fusionauth-1-33-0-update-how-to-update-the-password-reset-functionality-for-users-that-have-two-factor-on
      • https://github.com/FusionAuth/fusionauth-issues/issues/1491
      • https://fusionauth.io/docs/apis/login#complete-multi-factor-authentication
      posted in General Discussion
      F
      fernando.hellwig