oauth2.dev

auth_time

OpenID_Foundation_Artifact_Binding_Working_Group

Registry Context

auth_time records when the End-User authentication occurred in an OpenID Connect ID Token.

Technical Summary

The auth_time claim value is defined as a JSON number representing seconds from 1970-01-01T00:00:00Z UTC until the authentication time.

When Used

Used in ID Tokens, especially when max_age is requested or auth_time is requested as an Essential Claim.

Normative Requirements

Clients

SHOULD
1
  1. openid-connect-core-1_0 - Section 3.1.3.7

    check the auth_time Claim value and request re-authentication if too much time has elapsed since the last End-User authentication.

    Condition: if the auth_time Claim was requested, either specifically or by using max_age

    the Client SHOULD check the auth_time Claim value

ID Token returned by the OpenID Provider

MUST
1
  1. openid-connect-core-1_0 - Section 3.1.2.1

    include an auth_time Claim Value.

    Condition: when max_age is used

    MUST include an auth_time Claim Value

OpenID Provider / Authorization Server

REQUIRED
1
  1. openid-connect-core-1_0 - Section 2

    include the auth_time claim in the ID Token.

    Condition: when a max_age request is made or auth_time is requested as an Essential Claim

    then this Claim is REQUIRED

OPTIONAL
1
  1. openid-connect-core-1_0 - Section 2

    include the auth_time claim in the ID Token.

    Condition: when neither max_age is requested nor auth_time is requested as an Essential Claim

    otherwise, its inclusion is OPTIONAL

Validation Guidance

error

When generating an ID Token for a request using max_age, verify auth_time is present.

error

When auth_time is requested as an Essential Claim, verify auth_time is present in the ID Token.

warning

When auth_time was requested or max_age was used, clients should evaluate auth_time freshness and request re-authentication if too much time has elapsed.

info

If neither max_age nor an Essential auth_time request applies, absence of auth_time is allowed by the referenced OpenID Connect Core rule.

Security Notes

openid-connect-core-1_0 - Section 3.1.3.7

Client-side auth_time checking is tied to deciding whether re-authentication is needed after elapsed time since End-User authentication.

Reference

Details

Entry Id
auth_time
Claim Name
auth_time
Claim Description
Time when the authentication occurred
Change Controller
OpenID_Foundation_Artifact_Binding_Working_Group
Reference
OpenID Connect Core 1.0 - Section 2