Update guidance on max age

source/integrate-with-integration-environment/authenticate-your-user.html.md.erb

@@ -175,7 +175,7 @@ Use the guidance in the following table to replace placeholder values in your ex
 | `ui_locales`    | Optional             | GOV.UK One Login supports English and Welsh as language choices. <br><br> If your service is in Welsh, you may want to display GOV.UK One Login in Welsh for a consistent user experience. You can use `ui_locales` to do this. <br> <br> In the `ui_locales` parameter, you can choose either `en` (English) or `cy` (Welsh). <br><br> Using `ui_locales` is optional. If you do not include it, your service will continue using English by default. <br><br> GOV.UK One Login does not support any other languages. |
 | `vtr`           | Optional             | The `vtr` parameter represents ‘Vectors of Trust’ where you request authentication and, optionally, identity proving. For example, if you want the medium level of authentication and medium identity confidence, request `vtr=[“Cl.Cm.P2”]`. <br><br>You selected your Vector of Trust when you [chose the level of authentication][integrate.choose-level-of-auth] and [the level of identity confidence][integrate.choose-level-of-confidence] for your service.<br><br>You can read more about how to combine the vectors for authentication level and identity confidence in [Section 3 of RFC 8485](https://datatracker.ietf.org/doc/html/rfc8485#section-3.1). If you need identity proving, you must request `Cl.Cm` (the medium level of authentication).<br><br>If you do not specify the `vtr` parameter, your service will automatically log your users in at the medium level of authentication (`Cl.Cm`). This means you will not receive identity attributes in your response. |
 | `claims`        | Optional             | To get the identity attributes your service needs, you should specify these in the `claims` parameter using the `/userinfo` endpoint. The `/userinfo` endpoint returns a JSON object listing the requested claims.<br><br>You can read more about [choosing which user attributes your service can request][integrate.choose-user-attributes].<br><br>You can [read more about the structure of the claims request in OpenID Connect section 5.5](https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter). |
-| `max_age`       | Optional             | `max_age` is only available to services not on the GOV.UK domain and those handling particularly sensitive data. Contact GOV.UK One Login support (https://www.sign-in.service.gov.uk/support) for more information. When the `max_age` parameter is included in your request, your user will be forced to reauthenticate if the time in seconds since authentication is greater than `max_age`. `max_age` must be set to zero or a positive integer. |
+| `max_age`       | Optional             | `max_age` is only available to services not on the GOV.UK domain and those handling particularly sensitive data. When the `max_age` parameter is included in your request, your user will be forced to re-authenticate if the time in seconds since authentication is greater than `max_age`. `max_age` must be set to zero or a positive integer. <br><br>You'll need to [contact GOV.UK One Login support](https://www.sign-in.service.gov.uk/support) to request to use `max_age`. |
 
 
 ### Generate an authorisation code

source/integrate-with-integration-environment/re-authenticating-users.erb

@@ -0,0 +1,50 @@
+---
+title: Reauthenticating users
+weight: 8
+last_reviewed_on: 2024-09-5
+review_in: 6 months
+---
+
+# Re-authenticating users
+
+A user may need re-authenticating if they have an active authenticated session with GOV.UK One Login to make sure that they are the same user completing a journey, that started it. 
+
+Re-authentication requests are supported only for JWT-secured OAuth 2.0 authorisation requests (JARs).
+
+### Setup
+
+To re-authenticate a user, you must have:
+an existing user session on your system 
+an ID token from GOV.UK One Login
+
+You must then use the following table to input values into the required parameters (along with the standard parameters) as part of an authorisation request:
+
+
+| Parameter name | Mandatory Y/N | Expected value |
+| prompt         | Y             | `login`        |
+| id_token_hint  | Y             | ID token received from GOV.UK One Login. Note that if ID token is populated along with prompt=login, then the system will re-authenticate |
+
+
+GOV.UK One Login will then take the users through the re-authentication journey. After a successful authentication and token exchanges, a refreshed ID token will be issued to the user by GOV.UK One Login and will redirect a user back to your system with an authorisation code. You must then:
+request the ID token
+validate the ID token for the latest timestamp and match the subject ID to  make sure it is the same subject ID
+
+
+
+### Error handling
+
+If a user does not provide correct credentials as part of the re-authentication journey then GOV.UK One Login will send the login_required error to your system. You must handle this error but for security the user should be logged off if this error occurs. There are retries allowed for each credential. If a user exceeds the maximum retries allowed for each in a previous session before the retry count expires then GOV.UK One Login logs the user out. 
+
+Re-initiating the re-authentication journey that failed with the login_required error will fail until the user goes through a sign in journey with two-factor authentication. The sign-in journey can be undertaken within the user’s existing journey. If they choose this option they must make sure that the subject ID is the same as the originally signed in user. 
+
+
+
+### Troubleshooting 
+
+If an ID token is invalid then GOV.UK One Login will return an error code. For example :
+
+Error in Callback
+Error: invalid_request
+
+Error description: Unable to validate id_token_hint
+