OAuth 2.0 Step Up Authentication Challenge

How does it work?

The protocol introduces a new error code value:

insufficient_user_authentication: The authentication event associated with the access token presented with the request does not meet the authentication requirements of the protected resource.

It also defines WWW-Authenticate auth-param values for the OAuth authentication schemes to convey the authentication requirements back to the client:

acr_values: A space-separated string listing the authentication context class reference values in order of preference. The protected resource requires one of these values for the authentication event associated with the access token. The authentication context conveys information about how authentication takes place (e.g., what authentication method(s) or assurance level to meet).
max_age: This value indicates the allowable elapsed time in seconds since the last active authentication event associated with the access token. An active authentication event entails a user interacting with the authorization server in response to an authentication prompt.

The OAuth 2.0 Step Up Authentication Challenge Protocol provides the following advantages:

Flexibility: Resource servers can require different authentication strengths or freshness according to the characteristics of a request.
Security: The protocol provides a mechanism for a client to request that an authorization server achieve a specific authentication strength or recentness when processing an authorization request.

The OAuth 2.0 Step Up Authentication Challenge Protocol poses the following challenges:

Complexity: The protocol introduces a new mechanism that resource servers can use to signal to a client that the authentication event associated with the access token of the current request does not meet its authentication requirements and, further, how to meet them.
Compatibility: The protocol requires support from both the resource server and the client.