[keycloak-user] When should auth_time claim be updated?
Thomas Darimont
thomas.darimont at googlemail.com
Fri Jul 28 07:35:31 EDT 2017
Hello Matt,
you need to create a JBoss jira account.
Cheers,
Thomas
2017-07-28 8:32 GMT+02:00 Matt Evans <mevans at aconex.com>:
> I've been trying to raise a jira ticket. I've gone to
> https://issues.jboss.org/browse/KEYCLOAK , signed up, and logged in but I
> can't create issues. The Create button isn't visible.
>
> Do I need to do something else?
>
> Thanks
>
> Matt
>
> -----Original Message-----
> From: Marek Posolda [mailto:mposolda at redhat.com]
> Sent: Thursday, 27 July 2017 8:48 PM
> To: Matt Evans <mevans at aconex.com>; keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] When should auth_time claim be updated?
>
> Looks like a bug. Could you please create JIRA for this?
>
> Thanks,
> Marek
>
> On 26/07/17 01:19, Matt Evans wrote:
> > After looking at the code it seems that this is controlled for each
> authentication attempt with the SSO_AUTH note, the CookieAuthenticator sets
> it as a client note if cookie authentication succeeds, and the
> AuthenticationManager checks it and if it's not true updates the auth_time.
> I can't see anywhere that clears it. I'm not sure how long client notes
> live, but I assume longer than the current authentication attempt, because
> once it's set, I can see that it stays true for all my "prompt=login"
> authentication attempts after that.
> >
> > I changed the CookieAuthenticator to clear the flag first and this seems
> to fix the problem for me, however, I'm not sure if that's the best
> approach?
> >
> > Matt
> >
> > -----Original Message-----
> > From: Marek Posolda [mailto:mposolda at redhat.com]
> > Sent: Saturday, 22 July 2017 12:45 AM
> > To: Matt Evans <mevans at aconex.com>; keycloak-user <
> keycloak-user at lists.jboss.org>
> > Subject: Re: [keycloak-user] When should auth_time claim be updated?
> >
> > On 21/07/17 07:57, Matt Evans wrote:
> >> Hi
> >>
> >> We are working with keycloak v3.2.0 and are using 'prompt=login' to
> initiate a re-authentication for sensitive actions, and we use the
> auth_time claim to determine if this should occur.
> >>
> >> Ordinarily each time we redirect to the auth endpoint with
> 'prompt=login' the auth_time is updated to the time that the authentication
> occurred.
> >>
> >> However, if we then redirect to the auth endpoint and the cookie is
> valid and used, any subsequent time after this authentication that we use
> the auth endpoint with 'prompt=login' the auth_time claim is not updated.
> >>
> >> Is this intended behaviour?
> > Yes. The claim "auth_time" points to the time of the active
> authentication. And the re-authentication with SSO cookie is not treated as
> "active" authentication, so this won't update auth_time. With
> "prompt=login" you need actively authenticate, so that will update
> auth_time.
> >
> > Marek
> >> Thanks
> >>
> >> Matt
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list