Yeah what you say makes sense, however the behaviour I am seeing is that as soon as I
re-auth with the SSO cookie, the authentication time seems to get fixed, and any
subsequent re-auth with "prompt=login" doesn't update the auth_time.
From: Marek Posolda [mailto:email@example.com]
Sent: Saturday, 22 July 2017 12:45 AM
To: Matt Evans <mevans(a)aconex.com>; keycloak-user
Subject: Re: [keycloak-user] When should auth_time claim be updated?
On 21/07/17 07:57, Matt Evans wrote:
We are working with keycloak v3.2.0 and are using 'prompt=login' to initiate a
re-authentication for sensitive actions, and we use the auth_time claim to determine if
this should occur.
Ordinarily each time we redirect to the auth endpoint with 'prompt=login' the
auth_time is updated to the time that the authentication occurred.
However, if we then redirect to the auth endpoint and the cookie is valid and used, any
subsequent time after this authentication that we use the auth endpoint with
'prompt=login' the auth_time claim is not updated.
Is this intended behaviour?
Yes. The claim "auth_time" points to the time
of the active authentication. And the re-authentication with SSO cookie is not treated as
"active" authentication, so this won't update auth_time. With
"prompt=login" you need actively authenticate, so that will update auth_time.
keycloak-user mailing list