dkam/clinch
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Wiki Activity

OIDC: Implement max_age validation on /authorize endpoint #8

New Issue
Open
opened 2025-12-31 05:33:11 +00:00 by Claude · 0 comments
Claude commented 2025-12-31 05:33:11 +00:00
Copy Link

Missing OIDC Feature: max_age Validation

Status

auth_time claim is now implemented and included in ID tokens, but the server-side max_age validation on the /authorize endpoint is missing.

What's Implemented

  • auth_time is stored in session when user authenticates (session[:auth_time])
  • auth_time is included in ID token claims (as Unix timestamp)
  • Clients can validate auth_time on their end

What's Missing

Per OIDC Core §2, when the client sends max_age parameter to /authorize:

Expected behavior:

  • If auth_timemax_age seconds ago → Proceed silently (SSO)
  • If auth_time > max_age seconds ago → Force re-authentication (show login screen)

Current behavior:

  • The max_age parameter is not validated
  • Users with old sessions proceed regardless of max_age

Implementation Notes

The authorize flow currently has two states:

  1. User not logged in → redirect to login
  2. User logged in → proceed (or show consent if needed)

Adding max_age support requires a third state:
3. User logged in but session is too old → force re-auth

Related Code

  • /oauth/authorize endpoint in app/controllers/oidc_controller.rb:48
  • Session auth_time set in app/controllers/concerns/authentication.rb:53
  • ID token generation in app/services/oidc_jwt_service.rb:6

Spec Reference

## Missing OIDC Feature: `max_age` Validation ### Status `auth_time` claim is now implemented and included in ID tokens, but the server-side `max_age` validation on the `/authorize` endpoint is missing. ### What's Implemented - `auth_time` is stored in session when user authenticates (`session[:auth_time]`) - `auth_time` is included in ID token claims (as Unix timestamp) - Clients can validate `auth_time` on their end ### What's Missing Per OIDC Core §2, when the client sends `max_age` parameter to `/authorize`: **Expected behavior:** - If `auth_time` ≤ `max_age` seconds ago → Proceed silently (SSO) - If `auth_time` > `max_age` seconds ago → Force re-authentication (show login screen) **Current behavior:** - The `max_age` parameter is not validated - Users with old sessions proceed regardless of `max_age` ### Implementation Notes The authorize flow currently has two states: 1. User not logged in → redirect to login 2. User logged in → proceed (or show consent if needed) Adding `max_age` support requires a third state: 3. User logged in **but session is too old** → force re-auth ### Related Code - `/oauth/authorize` endpoint in `app/controllers/oidc_controller.rb:48` - Session auth_time set in `app/controllers/concerns/authentication.rb:53` - ID token generation in `app/services/oidc_jwt_service.rb:6` ### Spec Reference - [OpenID Connect Core §2](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) - `max_age` parameter - [OpenID Connect Core §2](https://openid.net/specs/openid-connect-core-1_0.html#IDToken) - `auth_time` claim
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
dkam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: dkam/clinch#8
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?