Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-3218

Support for "max_age" in AuthorizationEndpoint and "auth_time" claim on IDToken



    • Enhancement
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Done
    • 2.0.0.CR1
    • 2.1.0.CR1
    • None
    • None


      The snippet from OIDC specs about max_age parameter http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest :

          OPTIONAL. Maximum Authentication Age. Specifies the allowable elapsed time in seconds 
      since the last time the End-User was actively authenticated by the OP. If the elapsed time is 
      greater than this value, the OP MUST attempt to actively re-authenticate the End-User. (The 
      max_age request parameter corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] max_auth_age 
      request parameter.) When max_age is used, the ID Token returned MUST include an auth_time 
      Claim Value. 

      and in IDToken http://openid.net/specs/openid-connect-core-1_0.html#IDToken is this :

          Time when the End-User authentication occurred. Its value is a JSON number representing the 
      number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. When a 
      max_age request is made or when auth_time is requested as an Essential Claim, then this Claim is 
      REQUIRED; otherwise, its inclusion is OPTIONAL. (The auth_time Claim semantically 
      corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] auth_time response parameter.) 

      and in IDToken validation chapter http://openid.net/specs/openid-connect-core-1_0.html#HybridIDTValidation

      If the auth_time Claim was requested, either through a specific request for this Claim or by using 
      the max_age parameter, the Client SHOULD check the auth_time Claim value and request 
      re-authentication if it determines too much time has elapsed since the last End-User authentication. 

      There are currently 2 failed tests from OIDC conformance testsuite related to this. One is using "max_age=1" and second is using "max_age=10000" . Details of both in attachements.

      It seems we have 2 issues right now:

      • We don't add 'auth_time' claim into IDToken. It seems we should use the time when user was authenticated (eg. userSession.getStartTime() ) rather than time when clientSession was started (request to AuthorizationEndpoint was sent).
      • We don't require user to re-authenticate if max_age is used. It depends what exactly is meant by " OP MUST attempt to actively re-authenticate the End-User. ", but my understanding is that SSO cookie re-authentication should be avoided if auth_time is too old. We can likely easily implement the hook in CookieAuthenticator to be ignored if auth_time is old. Then user will need to re-authenticate through other authenticators and auth_time will be updated based on that.


        Issue Links



              mposolda@redhat.com Marek Posolda
              mposolda@redhat.com Marek Posolda
              0 Vote for this issue
              1 Start watching this issue