Hi Hasini, Spec does not speak directly about the auth_time directly when the user have previous session. IMO when we send the request without prompt =none, as 'auth_time' indicates user authenticated time, if the user does not have a previous session then the 'auth_time' should be the session created time and if the user have a previous session then it should be the session updated time.
Thanks, Hasanthi Dissanayake Software Engineer | WSO2 E: hasan...@wso2.com M :0718407133| http://wso2.com <http://wso2.com/> On Wed, Aug 30, 2017 at 10:56 AM, Hasini Witharana <hasi...@wso2.com> wrote: > Hi Asela, > > We take the session updated time as the new auth_time. > > Thank you. > > On Tue, Aug 29, 2017 at 5:59 PM, Asela Pathberiya <as...@wso2.com> wrote: > >> >> >> On Tue, Aug 29, 2017 at 4:29 PM, Hasini Witharana <hasi...@wso2.com> >> wrote: >> >>> Hi Asela, >>> >>> If SP sends a force auth request, we update the existing session. >>> >> >> So; Are we generating new auth_time when session is updated ? >> >> >>> >>> Thanks, >>> Hasini >>> >>> >>> >>> On Wed, Aug 23, 2017 at 1:27 PM, Asela Pathberiya <as...@wso2.com> >>> wrote: >>> >>>> >>>> >>>> On Wed, Aug 23, 2017 at 12:46 PM, Hasini Witharana <hasi...@wso2.com> >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> In the OIDC specification auth_time is defined as below.[1] >>>>> >>>>> Time when the End-User authentication occurred. Its value is a JSON >>>>> number representing the number of seconds from 1970-01-01T0:0:0Z as >>>>> measured in UTC until the date/time. When a max_age request is made >>>>> or when auth_time is requested as an Essential Claim, then this Claim >>>>> is REQUIRED; otherwise, its inclusion is OPTIONAL. >>>>> >>>>> In the current implementation when the user is authenticated for the >>>>> first time using user credentials, auth_time is considered as the session >>>>> created time. After that when user is implicitly login in using a cookie >>>>> without giving user credentials, auth_time is considered as session >>>>> updated >>>>> time. >>>>> >>>> >>>> If SP sends a force authe request, Are we creating a new session or >>>> update the existing session ? >>>> >>>> If max_age is expired, Does SP need to send a force auth request or >>>> just an authentication request ? >>>> >>>> Thanks, >>>> Asela. >>>> >>>>> >>>>> As I think the auth_time should be the first time user authenticated >>>>> using credentials. >>>>> [2] is the fix made for this issue. >>>>> >>>>> Thank you. >>>>> >>>>> [1] - http://openid.net/specs/openid-connect-core-1_0.html >>>>> [2] - https://github.com/wso2-extensions/identity-inbound-auth-oau >>>>> th/pull/455 >>>>> >>>>> -- >>>>> >>>>> *Hasini Witharana* >>>>> Software Engineering Intern | WSO2 >>>>> >>>>> >>>>> *Email : hasi...@wso2.com <hasi...@wso2.com>* >>>>> >>>>> *Mobile : +94713850143 <+94%2071%20385%200143>[image: >>>>> http://wso2.com/signature] <http://wso2.com/signature>* >>>>> >>>> >>>> >>>> >>>> -- >>>> Thanks & Regards, >>>> Asela >>>> >>>> ATL >>>> Mobile : +94 777 625 933 <+94%2077%20762%205933> >>>> +358 449 228 979 >>>> >>>> http://soasecurity.org/ >>>> http://xacmlinfo.org/ >>>> >>> >>> >>> >>> -- >>> >>> *Hasini Witharana* >>> Software Engineering Intern | WSO2 >>> >>> >>> *Email : hasi...@wso2.com <hasi...@wso2.com>* >>> >>> *Mobile : +94713850143 <+94%2071%20385%200143>[image: >>> http://wso2.com/signature] <http://wso2.com/signature>* >>> >> >> >> >> -- >> Thanks & Regards, >> Asela >> >> ATL >> Mobile : +94 777 625 933 <+94%2077%20762%205933> >> +358 449 228 979 >> >> http://soasecurity.org/ >> http://xacmlinfo.org/ >> > > > > -- > > *Hasini Witharana* > Software Engineering Intern | WSO2 > > > *Email : hasi...@wso2.com <hasi...@wso2.com>* > > *Mobile : +94713850143 <+94%2071%20385%200143>[image: > http://wso2.com/signature] <http://wso2.com/signature>* > > _______________________________________________ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > >
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
