auth_time validation fails when SSO session is renewed

[eedzjee]

Describe the bug
The auth_time in the ID token is validated against the auth_time of the original access token in the session. But in some cases, this auth_time can be reset on the Identity Provider, resulting in an [invalid_id_token] Invalid authenticated at time on the client side whenever the token is refreshed.

Background
I ran into this bug when updating from Spring Boot 3.3.x to 3.5.x, so somewhere in the newer Spring Security version this validation has been added. Refreshing tokens has been working perfectly fine before, but after the update this error broke our code as we enforce authentication on other applications with prompt=login. I read the documentation of the OIDC specification and think that the current validation of the auth_time might be a little too strict. I am curious on what others would think of this situation.

To Reproduce

• Log in to a Spring Boot app via OIDC SSO
• Log in to another application on the same Identity Provider, but enforce entering credentials again with prompt=login
• Wait at least 5 minutes for the first access token to expire
• Try to refresh the token from the (first) Spring Boot app.
• Actual behavior: An invalid_id_token error pops up as the auth_time of the refreshed ID token doesn't match the auth_time of the original one within the application session.

Expected behavior
The tokens are refreshed, without any arror.

The OIDC specification mentions:

auth_time: Time when the End-User authentication occurred.

And also the requirements for a refreshed ID token:

if the ID Token contains an auth_time Claim, its value MUST represent the time of the original authentication - not the time that the new ID token is issued,

It might be debatable what 'time of original authentication' means here, but I would interpret that as: 'the time when authentication (for this new ID token) originated at the Identity Provider'. And as the Identity Provider only keeps track of one authentication session, that latest auth_time would be used here. Which is a perfectly valid for the refreshed ID token.

Spring Security wants to validate this auth_time after the ID token is being refreshed against the auth_time in the original ID token it received earlier. But I think it is not said in the specification that this should be done that way.

To fix this, Spring Security could either:

• remove the validateAuthenticatedAt validation as you cannot know the time of the original authentication at this point.
• or adapt it to only validate that it is earlier than the issued_at of the newly refreshed ID token. As that is the only thing you can validate for certain at this point.
• or make it configurable, so it can be disabled to allow auth_time changes.

[jgrandja]

@eedzjee

The auth_time in the ID token is validated against the auth_time of the original access token in the session.

It's not validated against the auth_time of the original access token , instead it's validated against the original ID Token.

spring-security/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcAuthorizedClientRefreshedEventListener.java

Line 303 in a980368

if (!idToken.getAuthenticatedAt().equals(existingOidcUser.getIdToken().getAuthenticatedAt())) {

It might be debatable what 'time of original authentication' means here, but I would interpret that as: 'the time when authentication (for this new ID token) originated at the Identity Provider'. And as the Identity Provider only keeps track of one authentication session, that latest auth_time would be used here. Which is a perfectly valid for the refreshed ID token.

It's not the latest auth_time, it's the auth_time from the original ID Token. As per 12.2. Successful Refresh Response:

if the ID Token contains an auth_time Claim, its value MUST represent the time of the original authentication - not the time that the new ID token is issued

After reviewing the code, I don't see any issue with the current implementation.

Which provider are you using? What is the auth_time claim in the original ID Token vs. the auth_time claim in the refreshed ID Token? Have you tried this with another provider to see if the behaviour is the same?

[eedzjee]

Thanks for the insights @jgrandja.

It's not validated against the auth_time of the original access token , instead it's validated against the original ID Token.

My bad, I meant the ID token indeed. I've updated that in the original question to keep things clear.

It's not the latest auth_time, it's the auth_time from the original ID Token. As per 12.2. Successful Refresh Response: "if the ID Token contains an auth_time Claim, its value MUST represent the time of the original authentication - not the time that the new ID token is issued"

That's why I think that line from the specification is debatable: The auth_time in the new ID token says something about the time of authentication. Whether the 'latest' authentication is considered as 'original' or the 'first' authentication. That isn't exactly clear by the specs. As I interpret it: authentication for this user originated on that auth_time.
What the specs don't tell is that you must validate it against the auth_time of an ID token the client received earlier.

Which provider are you using?

Keycloak. I will try to explain the situation in more details. There is also a test-case in the repository of Keycloak that exactly reproduces this use-case: updating the auth_time after entering the credentials again via prompt=login: https://github.com/keycloak/keycloak/blob/215bc1e27230f2a66670ed70262248b5f5254eb9/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java#L368

1. Log in to a Spring application via Keycloak -> auth_time is set to x
2. Spring Boot retrieves tokens from Keycloak -> auth_time=x
3. Log in to another application via Keycloak that requires prompt=login -> auth_time is now set to y (this is then considered the current 'original' authentication according to the specification & Keycloaks implementation)
4. Whenever the access token expires and Spring Boot tries to refresh it, also a new ID token is retrieved and 'validated'. But auth_time=y from that new ID token doesn't match auth_time=x in the ID token Spring received after the first login.

This causes Spring to reject the authentication and redirect the user through the Identity Provider again, while the session at Keycloak was still perfectly valid and refreshed.

[jgrandja]

@eedzjee

Keycloak. I will try to explain the situation in more details. There is also a test-case in the repository of Keycloak that exactly reproduces this use-case: updating the auth_time after entering the credentials again via prompt=login: https://github.com/keycloak/keycloak/blob/215bc1e27230f2a66670ed70262248b5f5254eb9/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java#L368

That test case is the 3.1.2.1. Authentication Request flow.

4. Whenever the access token expires and Spring Boot tries to refresh it, also a new ID token is retrieved and 'validated'. But auth_time=y from that new ID token doesn't match auth_time=x in the ID token Spring received after the first login.

This is the 12.1. Refresh Request flow, which is completely different.

prompt=login is only applicable for the Authentication Request flow. It is NOT applicable to the Refresh Request flow.

The error [invalid_id_token] Invalid authenticated at time occurs during the Refresh Request flow, which is triggered here:

spring-security/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/RefreshTokenOAuth2AuthorizedClientProvider.java

Line 108 in 14d469c

this.applicationEventPublisher.publishEvent(authorizedClientRefreshedEvent);

and ultimately notifies OidcAuthorizedClientRefreshedEventListener and validates auth_time here:

spring-security/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcAuthorizedClientRefreshedEventListener.java

Line 319 in 14d469c

if (!Objects.equals(idToken.getAuthenticatedAt(), existingOidcUser.getIdToken().getAuthenticatedAt())) {

I'm going to close this issue as the validation applied to auth_time claim during the Refresh Request flow is correct.