Re: [keycloak-user] When should auth_time claim be updated?

I've been trying to raise a jira ticket. I've gone to https://issues.jboss.org/browse/KEYCLOAK , signed up, and logged in but I can't create issues. The Create button isn't visible. Do I need to do something else? Thanks Matt -----Original Message----- From: Marek Posolda [mailto:mposolda@redhat.com] Sent: Thursday, 27 July 2017 8:48 PM To: Matt Evans <mevans(a)aconex.com>; keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] When should auth_time claim be updated? Looks like a bug. Could you please create JIRA for this? Thanks, Marek On 26/07/17 01:19, Matt Evans wrote: > After looking at the code it seems that this is controlled for each authentication attempt with the SSO_AUTH note, the CookieAuthenticator sets it as a client note if cookie authentication succeeds, and the AuthenticationManager checks it and if it's not true updates the auth_time. I can't see anywhere that clears it. I'm not sure how long client notes live, but I assume longer than the current authentication attempt, because once it's set, I can see that it stays true for all my "prompt=login" authentication attempts after that. > > I changed the CookieAuthenticator to clear the flag first and this seems to fix the problem for me, however, I'm not sure if that's the best approach? > > Matt > > -----Original Message----- > From: Marek Posolda [mailto:mposolda@redhat.com] > Sent: Saturday, 22 July 2017 12:45 AM > To: Matt Evans <mevans(a)aconex.com>; keycloak-user < keycloak-user(a)lists.jboss.org&gt; > Subject: Re: [keycloak-user] When should auth_time claim be updated? > > On 21/07/17 07:57, Matt Evans wrote: >> Hi >> >> We are working with keycloak v3.2.0 and are using 'prompt=login' to initiate a re-authentication for sensitive actions, and we use the auth_time claim to determine if this should occur. >> >> Ordinarily each time we redirect to the auth endpoint with 'prompt=login' the auth_time is updated to the time that the authentication occurred. >> >> However, if we then redirect to the auth endpoint and the cookie is valid and used, any subsequent time after this authentication that we use the auth endpoint with 'prompt=login' the auth_time claim is not updated. >> >> Is this intended behaviour? > Yes. The claim "auth_time" points to the time of the active authentication. And the re-authentication with SSO cookie is not treated as "active" authentication, so this won't update auth_time. With "prompt=login" you need actively authenticate, so that will update auth_time. > > Marek >> Thanks >> >> Matt >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user