Login loop when request authorize endpoint with max_age=0

[tiagofe]

Which version of Duende IdentityServer are you using? Duende 7.0.4

Which version of .NET are you using? 8

Describe the bug

With the Duende version 7, every time we call authorize endpoint using max_age=0, it starts a loop asking to login again and again. After investigation, comparing the behavior with the version 6.3.8, it seems the Clock.UtcNow.UtcDateTime in AuthorizeInteractionResponseGenerator contains millisecconds part, but in Duende 6.3.8 it is always 0 milliseconds.

This causes to enter in a loop trying to login again and again.

To Reproduce

Call authorize endpoint using max_age=0

Expected behavior

It should ask for login one time only.

Log output/exception with stacktrace

Additional context

Here I add some logs only to compare versions:

Duende 6.3.8 (inside max_age datetime validation) ->

Duende 7.0.4 (inside max_age datetime validation) ->

Seems the Clock.UtcNow.UtcDateTime contains the milliseconds, but in Duende 6 it was using ISystemClock. and it seems before the milliseconds was 0.

Then, with Duende 7.0.4, and since Clock.UtcNow.UtcDateTime is greater then authTime, it will ask again for login.

[pecanw]

Proposed solution - see the pull request

[RolandGuijt]

Thanks for the PR! I've created an issue in the IdentityServer repo for this. I'm closing this support issue - further tracking can be done from there.

[josephdecock]

Also, a work-around while we get this fixed is to use prompt=login instead of max_age=0.

[josephdecock]

@pecanw We just released IdentityServer 7.0.5 which includes a fix for this issue. Enjoy!