Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for auth_time Claim #9

Open
chamathns opened this issue Oct 19, 2020 · 0 comments
Open

Add support for auth_time Claim #9

chamathns opened this issue Oct 19, 2020 · 0 comments
Labels
Priority/Normal Type/Improvement

Comments

@chamathns
Copy link
Contributor

Description:
The rule 13 of the ID Token Validation section [1] states,

If the auth_time Claim was requested, either through a specific request for this Claim or by using the max_age parameter, the Client SHOULD check the auth_time Claim value and request re-authentication if it determines too much time has elapsed since the last End-User authentication.

The auth_time claim can be requested in the authentication request sent to the OIDC provider [2] by the OPTIONAL parameter max_age. Or else auth_time can be requested as an Essential Claim. In both of these scenarios, inclusion of auth_time claim in the ID Token is MANDATORY.

Going forward, this claim should be supported since it provides information the client could use to prevent attacks.

[1] - https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
[2] - https://openid.net/specs/openid-connect-core-1_0.html#AuthenticationRequest
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Priority/Normal Type/Improvement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@chamathns