Re: [Dev] Regarding auth_time claim in OIDC id_token

2017-09-06 Thread Hasanthi Purnima Dissanayake 
Hi Hasini,

Spec does not speak directly about the auth_time directly when the user
have previous session. IMO when we send the request without prompt =none,
as 'auth_time' indicates user authenticated time, if the user does not have
a previous session then the 'auth_time' should be the session created time
and if the user have a previous session then it should be the session
updated time.

Thanks,

Hasanthi Dissanayake

Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 

On Wed, Aug 30, 2017 at 10:56 AM, Hasini Witharana  wrote:

> Hi Asela,
>
> We take the session updated time as the new auth_time.
>
> Thank you.
>
> On Tue, Aug 29, 2017 at 5:59 PM, Asela Pathberiya  wrote:
>
>>
>>
>> On Tue, Aug 29, 2017 at 4:29 PM, Hasini Witharana 
>> wrote:
>>
>>> Hi Asela,
>>>
>>> If SP sends a force auth request, we update the existing session.
>>>
>>
>> So;  Are we generating new auth_time when session is updated ?
>>
>>
>>>
>>> Thanks,
>>> Hasini
>>>
>>>
>>>
>>> On Wed, Aug 23, 2017 at 1:27 PM, Asela Pathberiya 
>>> wrote:
>>>


 On Wed, Aug 23, 2017 at 12:46 PM, Hasini Witharana 
 wrote:

> Hi,
>
> In the OIDC specification auth_time is defined as below.[1]
>
> Time when the End-User authentication occurred. Its value is a JSON
> number representing the number of seconds from 1970-01-01T0:0:0Z as
> measured in UTC until the date/time. When a max_age request is made
> or when auth_time is requested as an Essential Claim, then this Claim
> is REQUIRED; otherwise, its inclusion is OPTIONAL.
>
> In the current implementation when the user is authenticated for the
> first time using user credentials, auth_time is considered as the session
> created time. After that when user is implicitly login in using a cookie
> without giving user credentials, auth_time is considered as session 
> updated
> time.
>

 If SP sends a force authe request,  Are we creating a new session or
 update the existing session ?

 If max_age is expired,  Does SP need to send a force auth request or
 just an authentication request ?

 Thanks,
 Asela.

>
> As I think the auth_time should be the first time user authenticated
> using credentials.
> [2] is the fix made for this issue.
>
> Thank you.
>
> [1] - http://openid.net/specs/openid-connect-core-1_0.html
> [2] - https://github.com/wso2-extensions/identity-inbound-auth-oau
> th/pull/455
>
> --
>
> *Hasini Witharana*
> Software Engineering Intern | WSO2
>
>
> *Email : hasi...@wso2.com *
>
> *Mobile : +94713850143 <+94%2071%20385%200143>[image:
> http://wso2.com/signature] *
>



 --
 Thanks & Regards,
 Asela

 ATL
 Mobile : +94 777 625 933 <+94%2077%20762%205933>
  +358 449 228 979

 http://soasecurity.org/
 http://xacmlinfo.org/

>>>
>>>
>>>
>>> --
>>>
>>> *Hasini Witharana*
>>> Software Engineering Intern | WSO2
>>>
>>>
>>> *Email : hasi...@wso2.com *
>>>
>>> *Mobile : +94713850143 <+94%2071%20385%200143>[image:
>>> http://wso2.com/signature] *
>>>
>>
>>
>>
>> --
>> Thanks & Regards,
>> Asela
>>
>> ATL
>> Mobile : +94 777 625 933 <+94%2077%20762%205933>
>>  +358 449 228 979
>>
>> http://soasecurity.org/
>> http://xacmlinfo.org/
>>
>
>
>
> --
>
> *Hasini Witharana*
> Software Engineering Intern | WSO2
>
>
> *Email : hasi...@wso2.com *
>
> *Mobile : +94713850143 <+94%2071%20385%200143>[image:
> http://wso2.com/signature] *
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Regarding auth_time claim in OIDC id_token

2017-08-29 Thread Hasini Witharana 
Hi Asela,

We take the session updated time as the new auth_time.

Thank you.

On Tue, Aug 29, 2017 at 5:59 PM, Asela Pathberiya  wrote:

>
>
> On Tue, Aug 29, 2017 at 4:29 PM, Hasini Witharana 
> wrote:
>
>> Hi Asela,
>>
>> If SP sends a force auth request, we update the existing session.
>>
>
> So;  Are we generating new auth_time when session is updated ?
>
>
>>
>> Thanks,
>> Hasini
>>
>>
>>
>> On Wed, Aug 23, 2017 at 1:27 PM, Asela Pathberiya  wrote:
>>
>>>
>>>
>>> On Wed, Aug 23, 2017 at 12:46 PM, Hasini Witharana 
>>> wrote:
>>>
 Hi,

 In the OIDC specification auth_time is defined as below.[1]

 Time when the End-User authentication occurred. Its value is a JSON
 number representing the number of seconds from 1970-01-01T0:0:0Z as
 measured in UTC until the date/time. When a max_age request is made or
 when auth_time is requested as an Essential Claim, then this Claim is
 REQUIRED; otherwise, its inclusion is OPTIONAL.

 In the current implementation when the user is authenticated for the
 first time using user credentials, auth_time is considered as the session
 created time. After that when user is implicitly login in using a cookie
 without giving user credentials, auth_time is considered as session updated
 time.

>>>
>>> If SP sends a force authe request,  Are we creating a new session or
>>> update the existing session ?
>>>
>>> If max_age is expired,  Does SP need to send a force auth request or
>>> just an authentication request ?
>>>
>>> Thanks,
>>> Asela.
>>>

 As I think the auth_time should be the first time user authenticated
 using credentials.
 [2] is the fix made for this issue.

 Thank you.

 [1] - http://openid.net/specs/openid-connect-core-1_0.html
 [2] - https://github.com/wso2-extensions/identity-inbound-auth-oau
 th/pull/455

 --

 *Hasini Witharana*
 Software Engineering Intern | WSO2


 *Email : hasi...@wso2.com *

 *Mobile : +94713850143 <+94%2071%20385%200143>[image:
 http://wso2.com/signature] *

>>>
>>>
>>>
>>> --
>>> Thanks & Regards,
>>> Asela
>>>
>>> ATL
>>> Mobile : +94 777 625 933 <+94%2077%20762%205933>
>>>  +358 449 228 979
>>>
>>> http://soasecurity.org/
>>> http://xacmlinfo.org/
>>>
>>
>>
>>
>> --
>>
>> *Hasini Witharana*
>> Software Engineering Intern | WSO2
>>
>>
>> *Email : hasi...@wso2.com *
>>
>> *Mobile : +94713850143 <+94%2071%20385%200143>[image:
>> http://wso2.com/signature] *
>>
>
>
>
> --
> Thanks & Regards,
> Asela
>
> ATL
> Mobile : +94 777 625 933 <+94%2077%20762%205933>
>  +358 449 228 979
>
> http://soasecurity.org/
> http://xacmlinfo.org/
>



-- 

*Hasini Witharana*
Software Engineering Intern | WSO2


*Email : hasi...@wso2.com *

*Mobile : +94713850143[image: http://wso2.com/signature]
*
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Regarding auth_time claim in OIDC id_token

2017-08-29 Thread Asela Pathberiya 
On Tue, Aug 29, 2017 at 4:29 PM, Hasini Witharana  wrote:

> Hi Asela,
>
> If SP sends a force auth request, we update the existing session.
>

So;  Are we generating new auth_time when session is updated ?


>
> Thanks,
> Hasini
>
>
>
> On Wed, Aug 23, 2017 at 1:27 PM, Asela Pathberiya  wrote:
>
>>
>>
>> On Wed, Aug 23, 2017 at 12:46 PM, Hasini Witharana 
>> wrote:
>>
>>> Hi,
>>>
>>> In the OIDC specification auth_time is defined as below.[1]
>>>
>>> Time when the End-User authentication occurred. Its value is a JSON
>>> number representing the number of seconds from 1970-01-01T0:0:0Z as
>>> measured in UTC until the date/time. When a max_age request is made or
>>> when auth_time is requested as an Essential Claim, then this Claim is
>>> REQUIRED; otherwise, its inclusion is OPTIONAL.
>>>
>>> In the current implementation when the user is authenticated for the
>>> first time using user credentials, auth_time is considered as the session
>>> created time. After that when user is implicitly login in using a cookie
>>> without giving user credentials, auth_time is considered as session updated
>>> time.
>>>
>>
>> If SP sends a force authe request,  Are we creating a new session or
>> update the existing session ?
>>
>> If max_age is expired,  Does SP need to send a force auth request or just
>> an authentication request ?
>>
>> Thanks,
>> Asela.
>>
>>>
>>> As I think the auth_time should be the first time user authenticated
>>> using credentials.
>>> [2] is the fix made for this issue.
>>>
>>> Thank you.
>>>
>>> [1] - http://openid.net/specs/openid-connect-core-1_0.html
>>> [2] - https://github.com/wso2-extensions/identity-inbound-auth-oau
>>> th/pull/455
>>>
>>> --
>>>
>>> *Hasini Witharana*
>>> Software Engineering Intern | WSO2
>>>
>>>
>>> *Email : hasi...@wso2.com *
>>>
>>> *Mobile : +94713850143 <+94%2071%20385%200143>[image:
>>> http://wso2.com/signature] *
>>>
>>
>>
>>
>> --
>> Thanks & Regards,
>> Asela
>>
>> ATL
>> Mobile : +94 777 625 933 <+94%2077%20762%205933>
>>  +358 449 228 979
>>
>> http://soasecurity.org/
>> http://xacmlinfo.org/
>>
>
>
>
> --
>
> *Hasini Witharana*
> Software Engineering Intern | WSO2
>
>
> *Email : hasi...@wso2.com *
>
> *Mobile : +94713850143 <+94%2071%20385%200143>[image:
> http://wso2.com/signature] *
>



-- 
Thanks & Regards,
Asela

ATL
Mobile : +94 777 625 933
 +358 449 228 979

http://soasecurity.org/
http://xacmlinfo.org/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Regarding auth_time claim in OIDC id_token

2017-08-29 Thread Hasini Witharana 
Hi Asela,

If SP sends a force auth request, we update the existing session.

Thanks,
Hasini



On Wed, Aug 23, 2017 at 1:27 PM, Asela Pathberiya  wrote:

>
>
> On Wed, Aug 23, 2017 at 12:46 PM, Hasini Witharana 
> wrote:
>
>> Hi,
>>
>> In the OIDC specification auth_time is defined as below.[1]
>>
>> Time when the End-User authentication occurred. Its value is a JSON
>> number representing the number of seconds from 1970-01-01T0:0:0Z as
>> measured in UTC until the date/time. When a max_age request is made or
>> when auth_time is requested as an Essential Claim, then this Claim is
>> REQUIRED; otherwise, its inclusion is OPTIONAL.
>>
>> In the current implementation when the user is authenticated for the
>> first time using user credentials, auth_time is considered as the session
>> created time. After that when user is implicitly login in using a cookie
>> without giving user credentials, auth_time is considered as session updated
>> time.
>>
>
> If SP sends a force authe request,  Are we creating a new session or
> update the existing session ?
>
> If max_age is expired,  Does SP need to send a force auth request or just
> an authentication request ?
>
> Thanks,
> Asela.
>
>>
>> As I think the auth_time should be the first time user authenticated
>> using credentials.
>> [2] is the fix made for this issue.
>>
>> Thank you.
>>
>> [1] - http://openid.net/specs/openid-connect-core-1_0.html
>> [2] - https://github.com/wso2-extensions/identity-inbound-auth-
>> oauth/pull/455
>>
>> --
>>
>> *Hasini Witharana*
>> Software Engineering Intern | WSO2
>>
>>
>> *Email : hasi...@wso2.com *
>>
>> *Mobile : +94713850143 <+94%2071%20385%200143>[image:
>> http://wso2.com/signature] *
>>
>
>
>
> --
> Thanks & Regards,
> Asela
>
> ATL
> Mobile : +94 777 625 933 <+94%2077%20762%205933>
>  +358 449 228 979
>
> http://soasecurity.org/
> http://xacmlinfo.org/
>



-- 

*Hasini Witharana*
Software Engineering Intern | WSO2


*Email : hasi...@wso2.com *

*Mobile : +94713850143[image: http://wso2.com/signature]
*
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Regarding auth_time claim in OIDC id_token

2017-08-23 Thread Asela Pathberiya 
On Wed, Aug 23, 2017 at 12:46 PM, Hasini Witharana  wrote:

> Hi,
>
> In the OIDC specification auth_time is defined as below.[1]
>
> Time when the End-User authentication occurred. Its value is a JSON number
> representing the number of seconds from 1970-01-01T0:0:0Z as measured in
> UTC until the date/time. When a max_age request is made or when auth_time
> is requested as an Essential Claim, then this Claim is REQUIRED; otherwise,
> its inclusion is OPTIONAL.
>
> In the current implementation when the user is authenticated for the first
> time using user credentials, auth_time is considered as the session created
> time. After that when user is implicitly login in using a cookie without
> giving user credentials, auth_time is considered as session updated time.
>

If SP sends a force authe request,  Are we creating a new session or update
the existing session ?

If max_age is expired,  Does SP need to send a force auth request or just
an authentication request ?

Thanks,
Asela.

>
> As I think the auth_time should be the first time user authenticated using
> credentials.
> [2] is the fix made for this issue.
>
> Thank you.
>
> [1] - http://openid.net/specs/openid-connect-core-1_0.html
> [2] - https://github.com/wso2-extensions/identity-inbound-
> auth-oauth/pull/455
>
> --
>
> *Hasini Witharana*
> Software Engineering Intern | WSO2
>
>
> *Email : hasi...@wso2.com *
>
> *Mobile : +94713850143 <+94%2071%20385%200143>[image:
> http://wso2.com/signature] *
>



-- 
Thanks & Regards,
Asela

ATL
Mobile : +94 777 625 933
 +358 449 228 979

http://soasecurity.org/
http://xacmlinfo.org/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Regarding auth_time claim in OIDC id_token

2017-08-23 Thread Hasini Witharana 
Hi,

In the OIDC specification auth_time is defined as below.[1]

Time when the End-User authentication occurred. Its value is a JSON number
representing the number of seconds from 1970-01-01T0:0:0Z as measured in
UTC until the date/time. When a max_age request is made or when auth_time
is requested as an Essential Claim, then this Claim is REQUIRED; otherwise,
its inclusion is OPTIONAL.

In the current implementation when the user is authenticated for the first
time using user credentials, auth_time is considered as the session created
time. After that when user is implicitly login in using a cookie without
giving user credentials, auth_time is considered as session updated time.

As I think the auth_time should be the first time user authenticated using
credentials.
[2] is the fix made for this issue.

Thank you.

[1] - http://openid.net/specs/openid-connect-core-1_0.html
[2] -
https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/455

-- 

*Hasini Witharana*
Software Engineering Intern | WSO2


*Email : hasi...@wso2.com *

*Mobile : +94713850143[image: http://wso2.com/signature]
*
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev