Missing auth_time claim on ID token after update password before continue Action

Problem statement

The ID token is not showing the auth_time property that should be after an /authorize call with max_age

Symptoms

  • /authorize has max_age=600 (example)
  • The auth_time is missing in the ID token after continuing an Action

Steps to reproduce

  1. Deploy a Post Login Action with a redirect and continue
  2. Login with max_age param
  3. Action redirects user to a URL
  4. Update password
  5. Continue after redirection
  6. Check ID token to see auth_time

Cause

It’s possible that the session is closed and then opened again, and that could explain why the ID token comes without auth_time after the password is updated for this user. After continuing the Action, the ID token does not contain auth_time.

Docs:

Solution

A possible workaround is that you update (password change, etc.) step so that it is made after the whole login flow is completed. If the user is not modified at all, the auth_time comes in the ID token.

1 Like