[oidc] always provide auth_time in idToken #5956
Labels
Milestone
Comments
leleueri
changed the title
tcompiegne
changed the title
leleueri
added a commit
to gravitee-io/gravitee-access-management
that referenced
this issue
Aug 13, 2021
|
@leleueri Is there any update on this, I'm facing the same issue |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If an ID Token is returned as a result of a token refresh request, if the ID Token contains an auth_time Claim, its value MUST represent the time of the original authentication - not the time that the new ID token is issued.
https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse
According to OIDC specification (https://openid.net/specs/openid-connect-core-1_0.html#IDToken),
This claim is optional but REQUIRED if the max_age parameter is specified or it the auth_time is part of the claims request. We decided to always provide this claim during the Financial-grand API conformance implementation since this claim was return by default in some cases.
The text was updated successfully, but these errors were encountered: