Discrepancy auth_time claim in OidcIdToken

spring-projects / spring-authorization-server

Spring Authorization Server

https://spring.io/projects/spring-authorization-server

Apache License 2.0

4.78k stars 1.25k forks source link

Discrepancy auth_time claim in OidcIdToken #1628

Closed bvanloocke closed 3 weeks ago

bvanloocke commented 1 month ago

Describe the bug There is a discrepancy in the ID-token: according to org.springframework.security.oauth2.core.oidc.OidcIdToken.Builder#authTime the type of the AUTH_TIME claim should be Instant.

but according to org/springframework/security/oauth2/server/authorization/token/JwtGenerator.java:140

a java.util. Date is used.

Expected behavior There should be 1 type. In tokens normally java.time.Instants are used (issuedAt, expiresAt,..)

jgrandja commented 1 month ago

@bvanloocke Although the auth_time claim is added as a java.util.Date and exp, iat and nbf claims are added as java.time.Instant, the claims are converted to java.util.Date before the ID Token is serialized.

I don't see any issues at this point. Is there a specific bug that you are seeing that you can reproduce?

spring-projects-issues commented 1 month ago

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

spring-projects-issues commented 3 weeks ago

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.