We are currently developing a product that has two types of login, one from a web application and the other from a native application, and we would like to have different validity periods for the bearer tokens for the web application and the native application.
Is this possible?
If so, we would like to know how to set it up.
Looking at the OIDC standard - specifying the max_age in the /authorize request results in the ID token being equipped with the auth_time claim.
max_age
OPTIONAL. Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to actively re-authenticate the End-User. (The max_age request parameter corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] max_auth_age request parameter.) When max_age is used, the ID Token returned MUST include an auth_time Claim Value.
auth_time
Time when the End-User authentication occurred. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. When a max_age request is made or when auth_time is requested as an Essential Claim, then this Claim is REQUIRED; otherwise, its inclusion is OPTIONAL. (The auth_time Claim semantically corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] auth_time response parameter.)
If the auth_time Claim was requested, either through a specific request for this Claim or by using the max_age parameter, the Client SHOULD check the auth_time Claim value and request re-authentication if it determines too much time has elapsed since the last End-User authentication.
First, I would like to correct an error in my previous response.
The native app is built with WinForms, not WFP.
I am using version 3.5.0 of Auth0.OidcClient.WinForms, which is published as a Nuget package.
I thought this would be reflected in the access token exp, but after reviewing this response, I understand that this is incorrect.
I also confirmed that the ID token contains the result of auth_time.
However, a new question arises.
Since it is the access token that is sent from the native app to the API server, I don’t think the server can determine if the access token is still valid.
Is it not possible to check the specified validity period on the server side?
I know this is more of a general authentication mechanism than Auth0, but it would be helpful to know.
I think this article may bring some additional context.
Specifically the following statement:
This extra validation will need to be covered by application authors and frameworks making use of the max_age parameter.
Also:
Don’t rely on client-side verification (i.e. in the browser) of the ID token or auth_time to prevent sensitive operations.
(My interpretation) The middleware (on the API server side) responsible for the incoming access token validation and parsing could potentially make use of some of the relevant for the access token validation data, like:
time when the request to gain protected data has been sent;
“issued at” claim of the access token;
max_age parameter value;
“issued at” claim of the ID token;
“auth_time” claim in the ID token;
current time;
and perform validation by making relevant comparisons.
Does this give you some good directions for your investigation?