Step up your authentication game | Alisa Duncan | ng-conf 2024

Step-up authentication allows implementing different authentication strength levels for sensitive operations rather than treating all authentication equally

Key components for implementing step-up auth in Angular:

• Route guards to protect sensitive routes
• HTTP interceptors to handle auth errors
• Integration with identity provider (e.g. Okta) that supports ACR values
• Handling of www-authenticate headers and error responses

ACR (Authentication Context Class Reference) claims in tokens define the authentication level/strength, with values like:

• 2FA for two-factor authentication
• PHR for phishing resistant
• Custom values as needed

Implementation flow:

1. API returns 401 with insufficient_authentication error
2. Angular intercepts error and redirects to identity provider
3. User completes stronger auth method
4. New tokens issued with elevated ACR claim
5. Original request retried with new tokens

Benefits include:

• More granular security than binary logged-in/out states
• Protection of sensitive operations
• Standardized approach via OAuth 2.0 spec
• No need to decrease overall session times

Best practices:

• Validate tokens and ACR claims on both frontend and backend
• Use route data to configure required auth levels
• Handle auth redirects and state management
• Support multiple authentication methods (biometrics, security keys, etc)

OAuth 2.0 Step-Up Authentication spec (RFC 9470) provides standardized way to implement elevated authentication requirements across applications