I have an existing web site that uses OAuth for authentication (authorization code flow). The user enters user name and password during initial signon and may prompt for 2FA depending on analysis of the user's device signature and other risk factors. This works fine as it is.
Now I have been asked to add step-up authentication to this site. With step-up authentication, certain high-risk features require a 2FA challenge to be answered.
As I understand it, a step-up authentication challenge can be accomplished by sending the browser back to the authorization endpoint, providing an acr_values of "urn:okta:loa:2fa". The problem is that this value tells the authorization server that I am requesting "any two factors." But I don't want any two factors. They have already authenticated with a password at this point. I want only the second factor (in this case, OOB OTP) to be presented and answered, under the assumption that the password was already correctly provided earlier.
Is there a way to tell the auth server that I only want the second factor, and not the first?
To complicate matters, it's likely that this step-up event will occur after the original token has already passed its expiration. So I can't reliably leverage the existing IDP session.