After looking at the code it seems that this is controlled for each authentication attempt
with the SSO_AUTH note, the CookieAuthenticator sets it as a client note if cookie
authentication succeeds, and the AuthenticationManager checks it and if it's not true
updates the auth_time. I can't see anywhere that clears it. I'm not sure how long
client notes live, but I assume longer than the current authentication attempt, because
once it's set, I can see that it stays true for all my "prompt=login"
authentication attempts after that.
I changed the CookieAuthenticator to clear the flag first and this seems to fix the
problem for me, however, I'm not sure if that's the best approach?
From: Marek Posolda [mailto:firstname.lastname@example.org]
Sent: Saturday, 22 July 2017 12:45 AM
To: Matt Evans <mevans(a)aconex.com>; keycloak-user
Subject: Re: [keycloak-user] When should auth_time claim be updated?
On 21/07/17 07:57, Matt Evans wrote:
We are working with keycloak v3.2.0 and are using 'prompt=login' to initiate a
re-authentication for sensitive actions, and we use the auth_time claim to determine if
this should occur.
Ordinarily each time we redirect to the auth endpoint with 'prompt=login' the
auth_time is updated to the time that the authentication occurred.
However, if we then redirect to the auth endpoint and the cookie is valid and used, any
subsequent time after this authentication that we use the auth endpoint with
'prompt=login' the auth_time claim is not updated.
Is this intended behaviour?
Yes. The claim "auth_time" points to the time
of the active authentication. And the re-authentication with SSO cookie is not treated as
"active" authentication, so this won't update auth_time. With
"prompt=login" you need actively authenticate, so that will update auth_time.
keycloak-user mailing list