.png)
![‘Companion’ Ending Breakdown: Director Drew Hancock Tells All About the Film’s Showdown and Potential Sequel: ‘That’s the Future I Want for [Spoiler]’](https://variety.com/wp-content/uploads/2025/02/MCDCOMP_WB028.jpg?#)
Securing API with JWT and elevated access using MFA
At my company we have a central auth server running IdentityServer. There are a number of applications providing some API to client applications. API requests are authenticated with JWT tokens issued by said auth server. It works fine for our purposes. We have a new requirement that basically needs a secondary verification for some actions. Scenario goes like this: User logs into an app. User wants to perform an action that requires elevated access and he is asked to confirm the action. User enters a one time password from TOTP/SMS Intent is confirmed and API responds to action. Ihe implementation I have in mind is as follows: API gets a request, checks JWT amr claim, sees no otp, returns 401 Unauthorized/403 Forbidden with WWW-Authenticate: mfa (or something along those lines) and a unique id for action App gets 401 response and notices it needs to verify the action with OTP, then redirects to auth server with given id Auth server verifies OTP and returns a new but short-lived JWT (with amr=otp) that only authorizes said action App uses this JWT to resend the request to API API performs restricted action App continues using regular JWT (discards JWT used for OTP) Now my question is, do you think this is a valid/good approach? Are there better ways of handling this operation?
At my company we have a central auth server running IdentityServer. There are a number of applications providing some API to client applications. API requests are authenticated with JWT tokens issued by said auth server. It works fine for our purposes.
We have a new requirement that basically needs a secondary verification for some actions.
Scenario goes like this:
- User logs into an app.
- User wants to perform an action that requires elevated access and he is asked to confirm the action.
- User enters a one time password from TOTP/SMS
- Intent is confirmed and API responds to action.
Ihe implementation I have in mind is as follows:
- API gets a request, checks JWT
amrclaim, sees nootp, returns 401 Unauthorized/403 Forbidden withWWW-Authenticate: mfa(or something along those lines) and a unique id for action - App gets 401 response and notices it needs to verify the action with OTP, then redirects to auth server with given id
- Auth server verifies OTP and returns a new but short-lived JWT (with
amr=otp) that only authorizes said action - App uses this JWT to resend the request to API
- API performs restricted action
- App continues using regular JWT (discards JWT used for OTP)
Now my question is, do you think this is a valid/good approach? Are there better ways of handling this operation?
