WebAuthn / T100373: U2F integration for Extension:OATHAuth enables authentication methods which don't really involve the browser (tap the hardware key, touch the fingerprinte reader, or just let the camera scan your face). There are other lightweight authentication options as well (e.g. once we have the infrastructure for push notification, we could provide functionaries with a browser extension that receives a push message and shows a little verification dialog). Instead of the very intrusive web redirects we are currently doing for reauthenticaion, we should support asynchronous reuath.
Internally, this would require:
- A way to get the elevated security expiry time, so the client-side logic can trigger a new async reauth when needed. (This would be a trivial change, except that the SecuritySensitiveOperationStatus hook might need to signal that the expiry time is not actually relevant, might want to change the expiry time etc.)
- An API to do the reauthentication. There doesn't seem to be any reason why the already existing clientlogin API could not be it. (Also, a poor man's version could be just opening the login page in a separate window/tab, no API needed.)
- Either the module would have to be able to update form tokens, or the auth framework should avoid resetting form tokens when extending an elevated-security period (reauthenticating with some security level while that security level is already active).