Mattermost Peer-to-Peer Forum

Client side plugin control over authentication


#1

Is there a mechanism for a client-side plugin to trigger a re-authentication with a SAML or OIDC authenticator, requesting a higher LOA or authentication method? The use case is:

  1. MM server configured to use SAML or OIDC
  2. User logs in using a username and password
  3. User tries to access a message or attachment which is protected/encrypted
  4. A client side plugin determines that the user is allowed to access the protected data, but must first re-authenticate using a 2nd factor, like OTP.

SAML and OIDC provide mechanisms to allow a relying party to request a certain level of assurance or authentication method (using LOA or query params). So the question is whether client side plugin can have any influence on how the webapp authenticates or re-authenticates a user. Thanks.


Adding state with a plugin