If it possible to force a re-authorization (I.E asking for username and password) from the LinkedIn oauth api?
Usecase:
To protect sensitive data, in case someone forgets to log out, some actions on our site can only be taken after you re-verify yourself with your password (even when logged in). We allow login using LinkedIn, in which case the user does not have a separate password on our site. In this case we would like to force a re-authorization (username/password) from the LinkedIn api so that user can still confirm his identity.
The important issue here is that it cannot just accept because the user is already logged in on LinkedIn and has accepted to app, this would not provide any level of security for someone who has forgotten to log out, it has to explicity ask for authorization by password again.
There is no way to force re-asking of the OAuth username/password once the user has logged in other than to log them out of LinkedIn first.
You can see this in action by opening your LinkedIn JSAPI-enabled site and having the user ‘Sign in with LinkedIn’. Once you have completed the initial OAuth sign-in/authorization, open a tab in the same browser and go to linkedin.com – you will also have been logged into the site.
In your case, if the user simply walks away from the computer leaving the browser open, they will still be logged into both of your site AND linkedin.com. Closing the browser, or logging out via the API or the linkedin.com site will solve this.
One strategy might be that any access to ‘sensitive’ data generates a logout, which will clear the cookies but not the app authorization, and then to instantiate the auth dialog:
Details here. I’ve tested this and it seems to work well.