I have an application in which the execution certain actions within the system requires the user to perform a digital signature (i.e. re-enter the user credentials) for them. I want to implement this using Azure AD (B2C) OIDC SSO. My plan was to redirect to the authorization URL, with the OIDC parameters prompt=login and max_age=0 (inspired by this article from 2017), but this does not appear to be supported by Azure AD anymore, as I get the following error message when trying it:
AADB2C90120: The max age parameter '0' specified in the request is invalid. Max age must be an integer between '900' and '86400' inclusive.
An authentication 900 seconds would not be recent enough by a long shot, to guarantee that the user has re-authenticated for the action that required a signature. Can one get around the 900 seconds restriction somehow? Is there some other way to approach this problem?
Using prompt=login is sufficient, as soon as the user lands on the authentication page with this param, the session cookies get destroyed, so that article implying it’s not enough doesn’t apply anymore.