Description
Right now a client can provide a logout feature by simply "forgetting" the tokens. However, as long as a user still has an active session on the authorization server, going through the authentication flow will result in the same user being logged in again.
I want the client to be able to force re-authentication by providing the max_age request parameter in the authentication request.
Section 3.1.2.1 of the OpenID Connect Core spec defines max_age as:
[...] the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to actively re-authenticate the End-User.
By using this parameter in combination with checking the auth_time claim, the client will be able to verify that the user was authenticated within a specific time frame.
I have also looked at the prompt request parameter, e.g. using prompt=login or prompt=select_account would achieve a similar result. However the prompt parameter doesn't seem to be supported by DOT either. In addition according to this article, the max_age parameter is better suited to support this use case.