Step-Up

POST 
/api/auth/step-up

Requests step-up authentification. This re-authentication is required by critical endpoints.

2FA:

If the user enabled 2FA, the step-up will not be granted immediately. Instead, a TwoFactorAuthenticationToken is set as HTTP-only cookie and returned in the response body if header authentication is enabled.

You can complete the step-up through the endpoint POST /api/auth/2fa/step-up.

Request Body:

When requesting a step-up for a GUEST there is no way to authenticate the user. Therefore, no request body is required in this case.

If you request a step-up for a regular USER, it will result in a 400 - BAD REQUEST.

Locale

A locale can be specified for this request. This will be used for the email 2FA code if this method is enabled for the user. You can learn more about 2FA through email here.

If no locale is specified, the applications default locale will be used. You can learn more about configuring the default locale here.

Tokens

• Requires a valid AccessToken.
• If 2FA is disabled and the request is successful, StepUpToken will automatically be set as HTTP-only cookie. If header authentication is enabled, the StepUpToken will be returned in the response body and can be used to authorized critical requests.

Request

Responses

200

Authentication successful.

400

The following error codes correspond to this status:

• MISSING_PASSWORD_PARAMETER: Indicates that the request is missing a password parameter.
• NO_PASSWORD: Indicates that the user does not have a password set.

401

The following error codes correspond to this status:

• ACCESS_TOKEN_EXPIRED: Indicates that the access token is expired.
• ACCESS_TOKEN_INVALID: Indicates that the access token cannot be decoded.
• AUTHENTICATION_REQUIRED: User is not authenticated.
• INVALID_CREDENTIALS: Invalid credentials.
• SESSION_EXPIRED: Indicates that the user's session has expired.

403

The following error codes correspond to this status:

• STEP_UP_TOKEN_CREATION_FORBIDDEN: Thrown when a step-up token is requested from an illegal context.

404

The following error codes correspond to this status:

• PRINCIPAL_NOT_FOUND: No principal with specified ID found.

500

The following error codes correspond to this status:

• ACCESS_TOKEN_ALLOWLIST_READING_FAILURE: Represents an exception indicating a failure when reading the allowlist for an access token cache.
• DATABASE_FAILURE: Exception representing a general failure related to database operations.
• DATABASE_ENCRYPTION_FAILURE: Exception representing a general failure related to database encryption operations.
• INVALID_DATABASE_OBJECT: Indicates an invalid document stored in the database.
• TWO_FACTOR_AUTHENTICATION_TOKEN_ENCODING_FAILURE: Represents an exception that occurs during the encoding process of an two-factor authentication token.
• TWO_FACTOR_AUTHENTICATION_TOKEN_SECRET_FAILURE: Represents an exception that occurs when there is a failure related to the secret required for creating an two-factor authentication token.
• HASH_FAILURE: Exception representing a general failure related to hashing operations.
• STEP_UP_TOKEN_ENCODING_FAILURE: Represents an exception that occurs during the encoding process of a step-up token.
• STEP_UP_TOKEN_SECRET_FAILURE: Represents an exception that occurs when there is a failure related to the secret required for creating a refresh token.
• COOKIE_CREATION_FAILURE: Thrown when an exception occurred during the creation of a cookie.