We fail the test "OP-Req-max_age=10000" because the auth_time for both flows is not the same.
Due to security restrictions of the authentication method used (we have no influence on that), users need to authenticate every time a flow is performed to get a token. So there is no concept of session on the authentication provider. So the auth_time will never be the same.
As we read the specifications the max-age does not require the auth_time to be the same, it requires that the auth_time is not to long age (10.000 seconds in this case). So the test seems to be "wrong" = Wrong in our case when there is no session on the authentication provider.
This results in the fact that we cannot pass certification.
Hello,
We fail the test "OP-Req-max_age=10000" because the auth_time for both flows is not the same.
This results in the fact that we cannot pass certification.
Any thoughts or comments?
Regards Hannes