updated_at not using Unix timestamp (in seconds) but in milliseconds

[IchordeDionysos]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

https://inspiring-hopper-b5cn7ocqrx.projects.oryapis.com

Describe the bug

I've been running OIDC conformance tests using Ory Hydra (hosted on Ory network) and it seems like the user info endpoint (https://inspiring-hopper-b5cn7ocqrx.projects.oryapis.com/userinfo) returns all timestamps as Unix timestamp in seconds (rat, auth_time, iat) but updated_at as Unix timestamp in milliseconds (as JS does it).

This leads to the test to fail with the error:

updated_at in userinfo appears to be in the future
updated_at: Dec 25, 52671, 12:26:40 AM
now: Jun 24, 2024, 8:10:37 PM

{
  "amr": [
    "oidc"
  ],
  "aud": [
    "00000000-0000-0000-0000-000000000000"
  ],
  "auth_time": 1700000000,
  "iat": 1700000000,
  "iss": "https://inspiring-hopper-b5cn7ocqrx.projects.oryapis.com",
  "name": "Firstname Lastname",
  "rat": 1700000000,
  "sub": "00000000-0000-0000-0000-000000000000",
  "updated_at": 1600000000000
}

I was using the Test variant:

client_auth_type=client_secret_basic, server_metadata=static, response_type=code, response_mode=default, client_registration=static_client

Reproducing the bug

1. Create a new OAuth2 Client in Ory.
   1. Grant at least the scopes openid and profile
   2. Select all grant types (maybe less are also possible ?!)
   3. Select all response types (maybe less are also possible ?!)
   4. Select access token type JWT (maybe others are also possible ?!)
   5. Select Authentication Method HTTP Basic Authorization
   6. Rest can be empty, create an keep track of the secret
2. Create test plan on https://www.certification.openid.net/
   1. Go to "Create a new test plan"
   2. Select the "OpenID Connect Core: Basic Certification Profile Authorization server test" test case
   3. Use Server metadata location: "static"
   4. Use Client Registration Type: "static_client"
   5. Use issuer: https://[slug].projects.oryapis.com
   6. Use jwks_uri: https://[slug].projects.oryapis.com/.well-known/jwks.json
   7. Use authorization_endpoint: https://[slug].projects.oryapis.com/oauth2/auth
   8. Use token_endpoint: https://[slug].projects.oryapis.com/oauth2/token
   9. Use userinfo_endpoint: https://[slug].projects.oryapis.com/userinfo
   10. Use the Ory generated client_id (for both client and client for client_secret_post)
   11. Use the previously generated client secret (for both client and client for client_secret_post)
   12. Click "Create test plan"
3. On the newly created test plan:
   1. Go to the test "Test Name: oidcc-scope-profile"
   2. Click "Run test"
   3. Copy the redirect URI from the URI shown when being prompted for browser interaction
   4. Add the redirect URI as allowed redirect URI in the OAuth2 client in Ory
   5. Don't forget to click "save"
   6. Click "Proceed with test"
   7. Sign-in using one of the configured login methods.
   8. When prompted for OIDC permissions to grant, allow both openid and profile
   9. Click "Allow"
   10. Go back to the test which should not be completed with an error

Relevant log output

No response

Relevant configuration

No response

Version

1.2.0

On which operating system are you observing this issue?

Ory Network

In which environment are you deploying?

Ory Network

Additional Context

No response

[alnr]

Fixed in #3819 and ory/kratos-selfservice-ui-node#344