Include an auth_time claim on the set of generated tokens

[danroth27]

We need Identity to provide time at which the user was signed in so that it can be included as an auth_time claim.

[HaoK]

We should take a look at this as part of aspnet/Identity#650

[HaoK]

Is this claim expected to only change when an explicit sign in method is called? Or can we update the time whenever we generate a new set of claims for the user?

[HaoK]

Basically should this track the user's last login time (LastLoginDate in DB)? Or should this be meta data that's only valid for a particular cookie/set of claims (generated once via the SignInAsync method)?

[HaoK]

cc @blowdart

[ycrumeyrolle]

According to http://openid.net/specs/openid-connect-core-1_0.html

auth_time
Time when the End-User authentication occurred. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. [...] (The auth_time Claim semantically corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] auth_time response parameter.)

And according to http://openid.net/specs/openid-provider-authentication-policy-extension-1_0.txt

auth_time
(Optional) The most recent timestamp when the End User has
actively authenticated to the OP in a manner fitting the
asserted policies.

[brockallen]

FWIW, we use this in IdentityServer (and add our own claim at auth time). This is the reason we need an authentication handler to wrap any other handlers: https://github.com/IdentityServer/IdentityServer4/blob/dev/src/IdentityServer4/Hosting/AuthenticationHandler.cs#L70

and here's adding the claim: https://github.com/IdentityServer/IdentityServer4/blob/afb09a6872e12a2c77dcc7854841453e2f5f52fb/src/IdentityServer4/IdentityServerPrincipal.cs#L114

[HaoK]

POR is to add this automatically to the set of claims we generate in the claims identity, but they need to be generated only once per actual sign in call (not refreshed with cookie)

[brockallen]

BTW, @danroth2 , you could simply do this in the login page.

[HaoK]

The underlying feature for identity to track sign activity is here be8232d

You will need to opt into 2.0 via AddEntityFrameworkStoresV2/Latest()