[keycloak-user] When should auth_time claim be updated?

Matt Evans mevans at aconex.com
Sun Jul 23 18:58:13 EDT 2017


Hi Marek

Yeah what you say makes sense, however the behaviour I am seeing is that as soon as I re-auth with the SSO cookie, the authentication time seems to get fixed, and any subsequent re-auth with "prompt=login" doesn't update the auth_time.

Matt

-----Original Message-----
From: Marek Posolda [mailto:mposolda at redhat.com] 
Sent: Saturday, 22 July 2017 12:45 AM
To: Matt Evans <mevans at aconex.com>; keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] When should auth_time claim be updated?

On 21/07/17 07:57, Matt Evans wrote:
> Hi
>
> We are working with keycloak v3.2.0  and are using 'prompt=login' to initiate a re-authentication for sensitive actions, and we use the auth_time claim to determine if this should occur.
>
> Ordinarily each time we redirect to the auth endpoint with 'prompt=login' the auth_time is updated to the time that the authentication occurred.
>
> However, if we then redirect to the auth endpoint and the cookie is valid and used, any subsequent time after this authentication that we use the auth endpoint with 'prompt=login' the auth_time claim is not updated.
>
> Is this intended behaviour?
Yes. The claim "auth_time" points to the time of the active authentication. And the re-authentication with SSO cookie is not treated as "active" authentication, so this won't update auth_time. With "prompt=login" you need actively authenticate, so that will update auth_time.

Marek
>
> Thanks
>
> Matt
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user





More information about the keycloak-user mailing list