Hello Everyone, *Use case :* An Oauth application supports accessing both high value and low value resources. Say these resources are protected with two types of scopes as highValueScope and lowValueScope respectively. User can obtain an access token for the lowValueScope with just basic authentication and continue accessing low value resources (Balance between security and the user experience). Whenever the user decides to access a higher value resource (or maybe perform a high value transaction), they indeed need to obtain another access token with the highValueScope. As the name implies, this scope requires a step-up authentication (OTP maybe). Thereafter, the user is free to access either resource.
*Practical scenario :* Banking system requesting higher levels of authentication upon performing a transaction worth over 1 million. *Catering this with a custom grant : * First token would be obtained by providing the user credentials (code grant). Once the step-up authentication (SMS OTP here) is triggered, this would be handled by a custom grant which accepts a Bearer token (previously obtained) and issues/validates sms otp for the user. Upon a successful verification only, the second access token will be issued to the application. *Suggestion :* Believe that this is a common use case and the WSO2 Identity Server should be addressing this OOTB rather than going for customizations. Which will enable users to easily adopt any kind of authenticator we support as their step-up option and make the process seamless as much as possible. Appreciate your thoughts. Cheers, -- *Nipun Thathsara* Software Engineer | WSO2 Email : [email protected] Mobile : +94713031875 Web : http://wso2.com [image: http://wso2.com/signature] <http://wso2.com/signature>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
