Hi, In the OIDC specification auth_time is defined as below.[1]
Time when the End-User authentication occurred. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. When a max_age request is made or when auth_time is requested as an Essential Claim, then this Claim is REQUIRED; otherwise, its inclusion is OPTIONAL. In the current implementation when the user is authenticated for the first time using user credentials, auth_time is considered as the session created time. After that when user is implicitly login in using a cookie without giving user credentials, auth_time is considered as session updated time. As I think the auth_time should be the first time user authenticated using credentials. [2] is the fix made for this issue. Thank you. [1] - http://openid.net/specs/openid-connect-core-1_0.html [2] - https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/455 -- *Hasini Witharana* Software Engineering Intern | WSO2 *Email : [email protected] <[email protected]>* *Mobile : +94713850143[image: http://wso2.com/signature] <http://wso2.com/signature>*
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
