On Wed, Aug 23, 2017 at 12:46 PM, Hasini Witharana <[email protected]> wrote:
> Hi, > > In the OIDC specification auth_time is defined as below.[1] > > Time when the End-User authentication occurred. Its value is a JSON number > representing the number of seconds from 1970-01-01T0:0:0Z as measured in > UTC until the date/time. When a max_age request is made or when auth_time > is requested as an Essential Claim, then this Claim is REQUIRED; otherwise, > its inclusion is OPTIONAL. > > In the current implementation when the user is authenticated for the first > time using user credentials, auth_time is considered as the session created > time. After that when user is implicitly login in using a cookie without > giving user credentials, auth_time is considered as session updated time. > If SP sends a force authe request, Are we creating a new session or update the existing session ? If max_age is expired, Does SP need to send a force auth request or just an authentication request ? Thanks, Asela. > > As I think the auth_time should be the first time user authenticated using > credentials. > [2] is the fix made for this issue. > > Thank you. > > [1] - http://openid.net/specs/openid-connect-core-1_0.html > [2] - https://github.com/wso2-extensions/identity-inbound- > auth-oauth/pull/455 > > -- > > *Hasini Witharana* > Software Engineering Intern | WSO2 > > > *Email : [email protected] <[email protected]>* > > *Mobile : +94713850143 <+94%2071%20385%200143>[image: > http://wso2.com/signature] <http://wso2.com/signature>* > -- Thanks & Regards, Asela ATL Mobile : +94 777 625 933 +358 449 228 979 http://soasecurity.org/ http://xacmlinfo.org/
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
