spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard
verified publisher icon spring-projects

auth_time claim doesn't show the time of the original authentication.

Open peter-san opened this issue 7 months ago • 6 comments

Describe the bug

auth_time claim doesn't show the time of the original authentication. But the time when session was updated.

To Reproduce

Log in using the authorization code grant.

Request several ID tokens, one after another.

The value of the 'auth_time' claim differs in each response and does not show the login time.

Expected behavior

'auth_time' claim represents the time of the original authentication.

peter-san avatar Jun 04 '25 07:06 peter-san

@peter-san I was not able to reproduce the issue as the auth_time claim remained the same for each OIDC flow I went through while staying logged in.

Please provide a minimal sample or test that reproduces this issue so I can look into it further.

jgrandja avatar Jun 10 '25 15:06 jgrandja

Hi @jgrandja, I work together with @peter-san. We were able to reproduce the problem in a minimal example.

Turns out the issue only appears when using Spring Session. When you replace the default SessionRegistryImpl with SpringSessionBackedSessionRegistry the behavior of the method .getLastRequest() changes, which leads to the auth_time claim to be updated on every request.

matthias-seibert-tng avatar Jun 16 '25 06:06 matthias-seibert-tng

@matthias-seibert-tng Thanks for the sample and I was able to reproduce the same issue.

As you mentioned, SpringSessionBackedSessionRegistry updates SessionInformation.getLastRequest() with the last access time leading to different auth_time claim values.

The auth_time should not use SessionInformation.getLastRequest() but the reason it did when this was implemented is because there is no SessionInformation.getCreatedTime() field which would have made more sense.

I'm not sure what to do to fix this other than adding SessionInformation.getCreatedTime() or removing the auth_time claim, since it's optional anyway.

jgrandja avatar Jun 16 '25 20:06 jgrandja

Hi @jgrandja,

We are using Spring Authorization Server in production, and everything is working well.

While working on a related topic, I stumbled across this issue and would recommend adding SessionInformation.getCreatedTime(). Beyond supporting the auth_time claim, I see several additional use cases that could benefit from this enhancement:

  1. Auditing & Compliance: Who logged in when?
  2. Custom Session Expiration Rules – beyond idle timeouts, you might want to:
  3. Expire sessions after a fixed total lifespan (e.g., X minutes), regardless of user activity.
  4. Apply different session policies based on creation time (e.g., time-of-day restrictions).
  5. Session Monitoring UI: Example — "User X has been logged in since 08:12, last activity at 08:55."
  6. Support for the OpenID Connect max_age query parameter could be implemented more easily. (see: OpenId Connect Core 1.0 )

@jgrandja What do you think?

sweidner-rio avatar Jun 23 '25 12:06 sweidner-rio

@sweidner-rio

We are using Spring Authorization Server in production, and everything is working well.

Excellent ! Happy to hear it !

would recommend adding SessionInformation.getCreatedTime()

All very good points and I agree.

Since SessionInformation lives in Spring Security, would you mind adding a new issue with all the details. Thank you.

jgrandja avatar Jun 23 '25 17:06 jgrandja

This issue was transferred from spring-projects/spring-authorization-server (see spring-authorization-server#2195)

jgrandja avatar Dec 09 '25 17:12 jgrandja