[keycloak-user] When should auth_time claim be updated?
Matt Evans
mevans at aconex.com
Fri Jul 21 01:57:38 EDT 2017
Hi
We are working with keycloak v3.2.0 and are using 'prompt=login' to initiate a re-authentication for sensitive actions, and we use the auth_time claim to determine if this should occur.
Ordinarily each time we redirect to the auth endpoint with 'prompt=login' the auth_time is updated to the time that the authentication occurred.
However, if we then redirect to the auth endpoint and the cookie is valid and used, any subsequent time after this authentication that we use the auth endpoint with 'prompt=login' the auth_time claim is not updated.
Is this intended behaviour?
Thanks
Matt
More information about the keycloak-user
mailing list