Describe the bug
After signing in with WebAuthn, the OIDC id_token is missing the sid and auth_time claims.
In the same setup, a username/password login includes both claims as expected.
This leads to inconsistent ID token contents depending on the authentication method.
To Reproduce
- git clone https://github.com/alsha/sas-webauthn-idtoken-repro
- cd sas-webauthn-idtoken-repro
- mvn test
Cause of the issue
The problem appears to be related to the implementation of the SpringSessionBackedSessionRegistry.name(...) method.
SessionRegistryImpl behaves correctly.
Expected behavior
sid and auth_time should be present in the OIDC id_token after successful WebAuthn login as well, same as after username/password login.
Sample
https://github.com/alsha/sas-webauthn-idtoken-repro
Describe the bug
After signing in with WebAuthn, the OIDC
id_tokenis missing thesidandauth_timeclaims.In the same setup, a username/password login includes both claims as expected.
This leads to inconsistent ID token contents depending on the authentication method.
To Reproduce
Cause of the issue
The problem appears to be related to the implementation of the SpringSessionBackedSessionRegistry.name(...) method.
SessionRegistryImpl behaves correctly.
Expected behavior
sid and auth_time should be present in the OIDC id_token after successful WebAuthn login as well, same as after username/password login.
Sample
https://github.com/alsha/sas-webauthn-idtoken-repro