By: Tim Nowaczyk user 27 Sep 2019 at 1:29 p.m. CDT

1 Response
Tim Nowaczyk gravatar
Open IDC Client config for App A uses default username/password authentication ![Pic 1](https://i.imgur.com/xwcHEZh.png) OPENID CONNECT CLIENTS DETAILS ------------------------------ - **Name:** app a - **Client ID:** @!XXXX.XXXX.XXXX.XXXX!XXXX!XXXX.XXXX!XXXX!XXXX.XXXX.XXXX.XXXX - **Subject Type:** public - **Expirattion date:** Mon Sep 25 00:00:00 UTC 2119 - **ClientSecret:** XXXXXXXXXXX - **Application Type:** web - **Persist Client Authorizations:** true - **Pre-Authorization:** true - **Authentication method for the Token Endpoint:** client_secret_basic - **Logout Session Required:** false - **Include Claims In Id Token:** false - **Disabled:** false - **Logout Uri:** [https://app-a-review.example.net/callback?logout=get, https://app-a.example.net/callback?logout=get, https://app-a-staging.example.net/callback?logout=get] - **Logout Redirect URIs:** [http://localhost:8080/goodbye.html, https://app-a-review.example.net/goodbye.html, http://app-a-review.example.net/goodbye.html] - **Scopes:** [email, openid, profile, user_name] - **Grant types:** [authorization_code] - **Response types:** [code] Open IDC Client config for App B overrides "Default requested Authentication Context Class Reference (ACR) values" to be "otp" ![Pic 2](https://i.imgur.com/7y4bxJF.png) OPENID CONNECT CLIENTS DETAILS ------------------------------ - **Name:** app b - **Client ID:** @!XXX.XXXX.XXXX.XXXX!XXXX!XXXX.XXXX!XXXX!XXXX.XXXX.XXXX.XXXX - **Subject Type:** public - **Expirattion date:** Sat Sep 23 00:00:00 UTC 2119 - **ClientSecret:** XXXXXXXXXXX - **Application Type:** web - **Persist Client Authorizations:** true - **Pre-Authorization:** true - **Authentication method for the Token Endpoint:** client_secret_basic - **Logout Session Required:** false - **Include Claims In Id Token:** false - **Disabled:** false - **Login Redirect URIs:** [http://app-b.example.net/] - **Scopes:** [email, openid, profile, memberOf] - **Grant types:** [authorization_code] - **Response types:** [code] - **DefaultAcrValues:** [Ljava.lang.String;@4bd4c9ff User logs into App A, and successfully authenticates with just their username and password. When user then logs into App B, the user is allowed in without a prompt for their OTP. I would like the user to have to perform OTP authentication for App B if they haven't yet done so. Is this possible?

By William Lowe user 29 Sep 2019 at 7:08 p.m. CDT

William Lowe gravatar
Yes, but it's not a server setting, the application has to send along `prompt=login` in the OpenID authentication request. Take a look at [this section of the spec](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).