I want the user to have to re-authenticate in certain cases where they are about to perform privileged actions. Of course I can log them out and the login flow would just start over but that seems messy.
It seems like getting access to the pac4j configured client (OidcClient for example) at runtime would be promising as I would likely be able to get the identity/login url but havent found a way to do that in the docs.
An instance of a client is shared among all incoming HTTP requests so changing it on the fly will lead to unwanted behavior.
Though, you could create two
OidcClient:prompt=loginfor example (setCustomParams) to force a re-authentication.And when you want to trigger a re-authentication, you could perform a local logout:
profileManager.removeProfiles()and target a protected URL with your second client:/protected?force_client=ForceLoginOidcClient.Notice that it would certainly be better to perform a SLO at the OIDC OP to avoid any desynchronization between client applications.