[OPENAM-12477] id_token requested using grant_type=authorization_code returns auth_time in milliseconds Created: 20/Feb/18  Updated: 29/Apr/20  Resolved: 22/Mar/18

Status: Resolved
Project: OpenAM
Component/s: oauth2, OpenID Connect
Affects Version/s: 14.5.0, 14.5.1, 6.0.0
Fix Version/s: 6.0.0, 5.5.2

Type: Bug Priority: Major
Reporter: Aaron Haskins Assignee: Dipu Seminlal
Resolution: Fixed Votes: 2
Labels: AME, Must-Fix
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Target Version/s:
Needs backport:
Support Ticket IDs:
Verified Version/s:
Needs QA verification:
Functional tests:
Are the reproduction steps defined?:
Yes and I used the same an in the description


Bug description

Requesting an id_token using grant_type=authorization_code sets the auth_time within the id_token in milliseconds. The spec (http://openid.net/specs/openid-connect-core-1_0.html) says this should be in seconds. It only returns in milliseconds for this grant_type.

How to reproduce the issue

Details steps outlining how to recreate the issue (remove this text)

  1. Configure OpenID Connect service
  2. Configure OAuth2/OpenID Connect Agent
  3. Get code - http://openam.example.com:8080/openam/oauth2/authorize?response_type=code&client_id=myOAuth2Client&scope=openid&redirect_uri=http://www.google.co.uk
  4. Get access_token - http://openam.example.com:8080/openam/oauth2/access_token?grant_type=authorization_code&redirect_uri=http://www.google.co.uk&code=\code
  5. Decode the id_token jwt, auth_time shows in milliseconds
Expected behaviour
auth_time returns in seconds
Current behaviour
auth_time returns in milliseconds

Work around

Could use another flow but that's not ideal.


Comment by Enes Köse [ 22/Feb/18 ]

Can you give us a timespan when this bug will be fixed?

Comment by Enes Köse [ 01/Mar/18 ]

Hi, are you going to provide a patch for this bug?

Comment by Andy Hall [ 02/Mar/18 ]

Enes Köse If the fix is required by a customer, please raise a support ticket.

Comment by Daniel Franke [ 09/Mar/18 ]

Additionally the auth time is not returned in milliseconds correctly. The session stores the session creation time in milliseconds but the auth time in the affected oidc token seems to be simply time in seconds with three zeros appended.

So either session creation time was first converted to seconds (or taken it from another source which stores it in seconds) and then to milliseconds again which leads to less accuraccy. Second reason could be that there were added simply three zeroes.


Creation time of CTS-Session token (this session is used during the auth code flow) : "creationTimeInMillis":1520521423016

Auth time from oidc token: 1520521423000

Comment by Mark de Reeper [ 17/Apr/18 ]

Backported to 5.5.x

Comment by Ľubomír Mlích [ 03/Sep/19 ]

Reproduced in ForgeRock Access Management 5.5.1 Build 96b47ad4f1 (2017-October-26 15:41), there are miliseconds in auth_time

Verified in ForgeRock Access Management 5.5.2-M7 Build 965200a558 (2019-August-20 08:11), there are seconds in auth_time

Generated at Thu Sep 24 15:09:59 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.