On 21/07/17 07:57, Matt Evans wrote:
We are working with keycloak v3.2.0 and are using 'prompt=login' to initiate a
re-authentication for sensitive actions, and we use the auth_time claim to determine if
this should occur.
Ordinarily each time we redirect to the auth endpoint with 'prompt=login' the
auth_time is updated to the time that the authentication occurred.
However, if we then redirect to the auth endpoint and the cookie is valid and used, any
subsequent time after this authentication that we use the auth endpoint with
'prompt=login' the auth_time claim is not updated.
Is this intended behaviour?
Yes. The claim "auth_time" points to the time
of the active
authentication. And the re-authentication with SSO cookie is not treated
as "active" authentication, so this won't update auth_time. With
"prompt=login" you need actively authenticate, so that will update
keycloak-user mailing list