Hi Nipun, This is supported OOTB [1] [1] https://docs.wso2.com/display/IS570/Working+with+ACR+and+AMR
Cheers, Ruwan A On Wed, Sep 18, 2019 at 12:44 AM Nipun Thathsara <[email protected]> wrote: > Hello Everyone, > > *Use case :* > An Oauth application supports accessing both high value and low value > resources. Say these resources are protected with two types of scopes as > highValueScope and lowValueScope respectively. User can obtain an access > token for the lowValueScope with just basic authentication and continue > accessing low value resources (Balance between security and the user > experience). Whenever the user decides to access a higher value resource > (or maybe perform a high value transaction), they indeed need to obtain > another access token with the highValueScope. As the name implies, this > scope requires a step-up authentication (OTP maybe). Thereafter, the user > is free to access either resource. > > *Practical scenario :* > Banking system requesting higher levels of authentication upon performing > a transaction worth over 1 million. > > *Catering this with a custom grant : * > First token would be obtained by providing the user credentials (code > grant). Once the step-up authentication (SMS OTP here) is triggered, this > would be handled by a custom grant which accepts a Bearer token (previously > obtained) and issues/validates sms otp for the user. Upon a successful > verification only, the second access token will be issued to the > application. > > *Suggestion :* > Believe that this is a common use case and the WSO2 Identity Server should > be addressing this OOTB rather than going for customizations. Which will > enable users to easily adopt any kind of authenticator we support as their > step-up option and make the process seamless as much as possible. > > Appreciate your thoughts. > > Cheers, > -- > > *Nipun Thathsara* > Software Engineer | WSO2 > > Email : [email protected] > Mobile : +94713031875 > Web : http://wso2.com > [image: http://wso2.com/signature] <http://wso2.com/signature> > -- Ruwan Abeykoon | Director/Architect | WSO2 Inc. (w) +947435800 | Email: [email protected]
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
