This repository was archived by the owner on Feb 23, 2025. It is now read-only.
AuthenticationTime nullable and null #317
Assignees
Comments
|
This was changed as part of a recent pull request. I need to have a look. Authentication time should come from the id_token |
|
There was indeed a bug introduced by the PR - fixed here |
|
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
We just upgraded to [email protected] and realized that the following is nullable now.
LoginResult.AuthenticationTimeAside from this change, it also really is null in our setups now and therefore make our integration tests fail. Digging deeper in the code, we found that the AuthenticationTime is extracted from the TokenResponse itself by looking at the auth_time field. But the auth_time property usually only exists as part of the received access token next to the iat property. Not as part of the overall TokenResponse.
var authTimeValue = result.TokenResponse.TryGet(JwtClaimTypes.AuthenticationTime);Further more we don't understand the comment on the constant:
/// <summary>Time when the End-User authentication occurred. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. When a max_age request is made or when auth_time is requested as an Essential Claim, then this Claim is REQUIRED; otherwise, its inclusion is OPTIONAL.</summary> public const string AuthenticationTime = "auth_time";What is an "essential claim" or a "max age request" and where to configure this? Before the library update we used the following to describe the Flow, but this property also doesn't exist anymore.
var oidcClientOptions = new OidcClientOptions { Flow = OidcClientOptions.AuthenticationFlow.AuthorizationCode };So we wonder: is it really expected that the TokenResponse itself provides an auth_field? If so, which configuration/document regarding OpenID or OAuth2 would describe, how to beg the authenticator to include this property as part of its response. We're in full control of all authenticator properties, but as everything is okay with older versions of the same lib, we like to blame the IdentityModel.OidcClient library maintainers first.
Or is it a bug? And
IdentityModel.OidcClientshould have a look inside the access token content to extract the authentication time from there? Because on the authenticator backend side nothing changed and the access token provides the same information it provides since many years...Thanks for guidance!
The text was updated successfully, but these errors were encountered: