-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 14.5.0, 14.5.1, 6.0.0
-
Component/s: oauth2, OpenID Connect
Bug description
Requesting an id_token using grant_type=authorization_code sets the auth_time within the id_token in milliseconds. The spec (http://openid.net/specs/openid-connect-core-1_0.html) says this should be in seconds. It only returns in milliseconds for this grant_type.
How to reproduce the issue
Details steps outlining how to recreate the issue (remove this text)
- Configure OpenID Connect service
- Configure OAuth2/OpenID Connect Agent
- Get code - http://openam.example.com:8080/openam/oauth2/authorize?response_type=code&client_id=myOAuth2Client&scope=openid&redirect_uri=http://www.google.co.uk
- Get access_token - http://openam.example.com:8080/openam/oauth2/access_token?grant_type=authorization_code&redirect_uri=http://www.google.co.uk&code=\code
- Decode the id_token jwt, auth_time shows in milliseconds
Expected behaviour
auth_time returns in seconds
Current behaviour
auth_time returns in milliseconds
Work around
Could use another flow but that's not ideal.