-
Notifications
You must be signed in to change notification settings - Fork 192
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support max_age
in initiate_auth_code_flow()
for OIDC
#381
Comments
Labeling this as |
@kevindixon , thanks for this suggestion! There is a PR available now. And you can test it by installing the cutting-edge MSAL by:
Let us know whether it works for you. |
@rayluo thanks for the speedy response. About to go on vacation, but will endeavour to take a look on my return |
@rayluo doesn't seem to work as I expect.
By the time I've called Or am I missing something...? |
In practice, there wouldn't make sense to use
When did you call |
This is exactly what I am trying to do - user is already logged in, but attempting a privileged action and I want to be able to FORCE re-authentication (and confirm authentication in the issued token). Here is the series of operations I have re-run with timings:
So.. the call to Note in both cases that |
Hi Kevin, thanks for the feedback. That was a good read. You are right, And I can also reproduce the issue you found. I made some adjustment to the PR, and it would work now. Besides, that PR will now automatically check the However, my test revealed some other corner cases. I'll discuss with our service-side team before I can get back to you. |
Hi @kevindixon , did you get some time to test out the updated PR? In your test environment, you would need to do |
Hi @rayluo, |
Hi Inês, thanks for the good catch! We have updated that fix. Please re-do |
Hi Ray, seems to work nicely now, thank you! |
Thanks for your confirmation! You are all set. The rest of the tasks are all on our side.
|
Describe the bug
We have a need to be able to force re-authentication for certain operations in our product.
Whilst
ConfidentialClientApplication.initiate_auth_code_flow
supportsprompt=login
this is an imperfect solution because our side there is no way to confirm that re-authentication took place.This right way to do this is to pass
max_age=0
(ref) and use theauth_time
claim value to confirm re-authentication took place.From what I can see
ConfidentialClientApplication.initiate_auth_code_flow
doesn't supportmax_age
To Reproduce
N/A
Expected behavior
max_age
is supported, and functions as defined in the OIDC specWhat you see instead
Exception thrown if
max_age
passed.The MSAL Python version you are using
msal==1.12.0
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: