Samples for authZ request validator and the interaction response generator

[brockallen]

Maybe show authz req validator to impose some logic on request validation. And interaction response generator to show something like re-authN user for some acr_values request (e.g. MFA).

Context: https://github.com/DuendeSoftware/IdentityServer/discussions/683

[josephdecock]

@brockallen or @leastprivilege, I have a few questions about this:

1. What kind of logic are we looking for on request validation? How about something like certain acr_values are allowed on a per-client basis? That way we could say "this client is allowed to make a request that forces re-authn".
2. In order to do the re-authn, it looks like I should override AuthorizeInteractionResponseGenerator.ProcessLoginAsync. There I'll check for a magic acr_value that means re-authn is required. If I see that, I'm not sure what I should do. What are the semantics of re-authn? Should it end the session? I think I have to in order to force the user to authenticate again, but then any clients that were participating in the old session won't be in the new session. I'd like to call AuthenticateAsync first and keep track of the client list from the result's properties until we do authenticate later. The trouble is, I don't see an obvious way to pass the client list along in the InteractionResponse.
3. Is there a good/standard acr_value to use to indicate re-authn is required?

[brockallen]

You could start to build a sample to require MFA. Client home page allows just amr of password, then the more secure page requires mfa. The client would need that check, and then re-trigger OIDC passing acr_value, and IdentityServer would need authZ interation response gen to know/check, and then UI/login page would then have to handle that -- this is a common scenario.