AuthGeek Demo
Demo 7 — Step-Up Authentication Flow

Dynamic Authorization &
Level of Assurance

See exactly how Step-Up Authentication works under the hood. When a user attempts a high-risk action, the Gateway evaluates the current Level of Assurance (ACR). If it's too low, the Gateway rejects the request with actionable instructions, prompting the SPA to request elevated factors (like WebAuthn) from the Identity Provider.

React SPA APISIX Gateway Keycloak IDP LOA / ACR WebAuthn OPA Policies

Step-Up Authentication Flow

Observe how the API Gateway issues precise, actionable 403 errors, instructing the Client App to elevate the user's Level of Assurance (ACR) via the Identity Provider.

Control Flow: