auth_ time
Registry Context
auth_time records when the End-User authentication occurred in an OpenID Connect ID Token.
Technical Summary
The auth_time claim value is defined as a JSON number representing seconds from 1970-01-01T00:00:00Z UTC until the authentication time.
When Used
Used in ID Tokens, especially when max_age is requested or auth_time is requested as an Essential Claim.
Normative Requirements
Clients
openid-connect-core-1_0 - Section 3.1.3.7
check the auth_time Claim value and request re-authentication if too much time has elapsed since the last End-User authentication.
Condition: if the auth_time Claim was requested, either specifically or by using max_age
the Client SHOULD check the auth_time Claim value
ID Token returned by the OpenID Provider
openid-connect-core-1_0 - Section 3.1.2.1
include an auth_time Claim Value.
Condition: when max_age is used
MUST include an auth_time Claim Value
OpenID Provider / Authorization Server
openid-connect-core-1_0 - Section 2
include the auth_time claim in the ID Token.
Condition: when a max_age request is made or auth_time is requested as an Essential Claim
then this Claim is REQUIRED
openid-connect-core-1_0 - Section 2
include the auth_time claim in the ID Token.
Condition: when neither max_age is requested nor auth_time is requested as an Essential Claim
otherwise, its inclusion is OPTIONAL
Validation Guidance
When generating an ID Token for a request using max_age, verify auth_time is present.
When auth_time is requested as an Essential Claim, verify auth_time is present in the ID Token.
When auth_time was requested or max_age was used, clients should evaluate auth_time freshness and request re-authentication if too much time has elapsed.
If neither max_age nor an Essential auth_time request applies, absence of auth_time is allowed by the referenced OpenID Connect Core rule.
Security Notes
openid-connect-core-1_0 - Section 3.1.3.7
Client-side auth_time checking is tied to deciding whether re-authentication is needed after elapsed time since End-User authentication.
Reference
Details
- Entry Id
auth_time - Claim Name
auth_time - Claim Description
Time when the authentication occurred- Change Controller
OpenID_Foundation_ Artifact_ Binding_ Working_ Group - Reference
OpenID Connect Core 1.0 - Section 2