Step-up Authentication for APIs
With step-up authentication, applications that allow access to different types of resources can require users to authenticate with a stronger mechanism to access sensitive information or perform certain transactions.
For instance, a user may be allowed to transfer money only after they have confirmed their identity using multi-factor authentication (MFA).
When your audience is an API, you can implement step-up authentication with Auth0 using scopes, Access Tokens and rules. In this article we will explain how you can do that and use a sample implementation to go through the process step-by-step.
How to check the Access Token
When an application wants to access an API's protected resources it must provide an Access Token. The resources that it will have access to depend on the permissions that are included in the Access Token. These permissions are defined as scopes.
For example, a banking API may accept two different levels of authorization: view account balance (scope
view:balance) or transfer funds (scope
transfer:funds). When an application asks the API to retrieve the user's balance, then the Access Token should contain the
view:balance scope. In order to transfer money to another account the Access Token should contain the
A sample flow for this example is the following:
- The user logs in to the application using username/password authentication. The standard login gives to this user the ability to interact with their API and fetch their balance. This means that the Access Token that the app receives after the user authentication contains the scope like
- The application sends a request to the API to retrieve the balance, using the Access Token as credentials
- The API validates the token and sends the balance info to the application
- Now the user wishes to transfer funds from one account to another, which is deemed a high-value transaction. The application sends a request to the API using the same Access Token
- The API validates the token and denies access since it's missing the required scope
- The application redirects to Auth0 and a rule is used to challenge the user to authenticate with MFA since a high-value scope was requested. Once the user successfully authenticates with MFA, a new Access Token which includes this scope is generated and sent to the application as part of the response
- The application sends again the transfer funds request using the new Access Token, which includes the
- The API validates the token, discards it (thereby treating it like a single-use token) and proceeds with the operation
Note that the API needs to do more validations than just check the scope. These are:
- Verify the token's signature. The signature is used to verify that the sender of the token is who it says it is and to ensure that the message wasn't changed along the way.
- Validate the standard claims:
exp(when the token expires),
iss(who issued the token),
aud(who is the intended recipient of the token)
For details on how to do these validations, see the Verify Access Tokens for Custom APIs article.
In this section we will see how you would implement the scenario described in the previous paragraph.
Before you start
This tutorial assumes that you have already done the following:
- Register an application. For the purposes of this example we'll be using a single-page web app
- Create a database connection
- Register the API. It should include two scopes:
- Enable Multi-factor Authentication. For the purposes of this example we'll be using push notifications
1. Create the rule
First we will create a rule that will challenge the user to authenticate with MFA when the
transfer:funds scope is requested.
Go to Dashboard > Multi-factor Auth and modify the script as follows.
CLIENTS_WITH_MFA variable holds the Client IDs of all the applications you want to use this rule. You can remove this (and the
if statement that follows) if you don't need it.
context.request.query.scope property contains all the scopes that the authentication request asked for. If it includes the value
transfer:funds then we ask for MFA by setting the
context.multifactor property to the appropriate value. In this case we are asking for MFA using Push.
2. Configure your application
Next you need to configure your application to send the appropriate authentication request, depending on the action that the user wants to perform. Notice that the only difference between the two authentication requests (with or without MFA) is the scope
audienceto the Identifier of your API (find it at API Settings). We set ours to
response_typeis set to
id_token tokenso we get both an ID Token and an Access Token in the response
client_idto the Client ID of your application (find it at Application Settings)
- Set the
redirect_urito the URL of your application that Auth0 should redirect back to after authentication (find it at Application Settings)
nonceto a cryptographically-secure string value which will be included in the response from Auth0. This is used to prevent token replay attacks and is required for
stateto an opaque value that Auth0 includes when redirecting back to the application. This value must be used by the application to prevent CSRF attacks
3. Configure your API
Finally, you need to make your API validate the incoming token and check the authorized permissions.
For the purposes of this example we will configure two endpoints for our API:
GET /balance: used to retrieve the current balance
POST /transfer: used to transfer funds
We will be using Node.js and a number of modules:
- express: adds the Express web application framework
- jwks-rsa: retrieves RSA signing keys from a JWKS (JSON Web Key Set) endpoint. Using
expressJwtSecretwe can generate a secret provider that will provide the right signing key to
express-jwtbased on the
kidin the JWT header
- express-jwt: lets you authenticate HTTP requests using JWT tokens in your Node.js applications. It provides several functions that make working with JWTs easier
- express-jwt-authz: checks if the Access Token contains a specific scope
Start with installing the dependencies.
Next define the API endpoints, create a middleware function to validate the Access Token, and secure the endpoints using that middleware. The code in your
server.js file should look like the following sample script.
Each time the API receives a request the following will happen:
- The endpoint will call the
express-jwtwill decode the token and pass the request, the header and the payload to
jwks-rsawill then download all signing keys from the JWKS endpoint and see if a one of the signing keys matches the
kidin the header of the Access Token. If none of the signing keys match the incoming
kid, an error will be thrown. If we have a match, we will pass the right signing key to
express-jwtwill the continue its own logic to validate the signature of the token, the expiration, audience and the issuer
jwtAuthzwill check if the scope that the endpoint requires is part of the Access Token
That's it, you're done! Now your application allows access to different types of resources using a stronger mechanism to perform certain high-value transactions.