diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java
index 315c95e43..83d4bec49 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java
@@ -15,16 +15,18 @@
  ******************************************************************************/
 package org.mitre.openid.connect.token;
 
-import java.security.NoSuchAlgorithmException;
 import java.util.Date;
 import java.util.Set;
 import java.util.UUID;
 
+import javax.servlet.http.HttpSession;
+
 import org.mitre.jwt.signer.service.JwtSigningAndValidationService;
 import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
 import org.mitre.oauth2.service.ClientDetailsEntityService;
 import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
+import org.mitre.openid.connect.web.AuthenticationTimeStamper;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -32,6 +34,8 @@ import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
 import org.springframework.security.oauth2.provider.token.TokenEnhancer;
 import org.springframework.stereotype.Service;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
 
 import com.google.common.base.Strings;
 import com.google.common.collect.Lists;
@@ -100,9 +104,17 @@ public class ConnectTokenEnhancer implements TokenEnhancer {
 			JWTClaimsSet idClaims = new JWTClaimsSet();
 			
 			
-			idClaims.setCustomClaim("auth_time", new Date().getTime());
+			// get the auth time from the session
+			ServletRequestAttributes attr = (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes();
+			if (attr != null) {
+				HttpSession session = attr.getRequest().getSession();
+				if (session != null) {
+					Date authTime = (Date) session.getAttribute(AuthenticationTimeStamper.AUTH_TIMESTAMP);
+					idClaims.setClaim("auth_time", authTime.getTime() / 1000);
+				}
+			}
 			
-			idClaims.setIssueTime(new Date());
+			idClaims.setIssueTime(claims.getIssueTime());
 			
 			if (client.getIdTokenValiditySeconds() != null) {
 				Date expiration = new Date(System.currentTimeMillis() + (client.getIdTokenValiditySeconds() * 1000L));
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/AuthenticationTimeStamper.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/AuthenticationTimeStamper.java
new file mode 100644
index 000000000..a5924529e
--- /dev/null
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/AuthenticationTimeStamper.java
@@ -0,0 +1,54 @@
+/**
+ * 
+ */
+package org.mitre.openid.connect.web;
+
+import java.io.IOException;
+import java.util.Date;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
+import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
+import org.springframework.stereotype.Component;
+
+/**
+ * This class sets a timestamp on the current HttpSession 
+ * when someone successfully authenticates. 
+ * 
+ * @author jricher
+ *
+ */
+@Component("authenticationTimeStamper")
+public class AuthenticationTimeStamper extends SavedRequestAwareAuthenticationSuccessHandler {
+
+	private static Logger logger = LoggerFactory.getLogger(AuthenticationTimeStamper.class);
+	
+	public static final String AUTH_TIMESTAMP = "AUTH_TIMESTAMP";
+	
+	/**
+	 * Set the timestamp on the session to mark when the authentication happened, 
+	 * useful for calculating authentication age.
+	 */
+	@Override
+	public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
+
+		Date authTimestamp = new Date();
+		
+		HttpSession session = request.getSession();
+
+		session.setAttribute(AUTH_TIMESTAMP, authTimestamp);
+
+		logger.info("Successful Authentication at " + authTimestamp.toString());
+		
+		super.onAuthenticationSuccess(request, response, authentication);
+		
+	}
+
+}
diff --git a/openid-connect-server/src/main/webapp/WEB-INF/user-context.xml b/openid-connect-server/src/main/webapp/WEB-INF/user-context.xml
index e47cfca7d..b30f5b38c 100644
--- a/openid-connect-server/src/main/webapp/WEB-INF/user-context.xml
+++ b/openid-connect-server/src/main/webapp/WEB-INF/user-context.xml
@@ -27,7 +27,7 @@
 	</security:http>
 		
 	<security:http disable-url-rewriting="true" use-expressions="true"> 
-		<security:form-login login-page="/login" authentication-failure-url="/login?error=failure" />
+		<security:form-login login-page="/login" authentication-failure-url="/login?error=failure" authentication-success-handler-ref="authenticationTimeStamper" />
 		<security:intercept-url pattern="/**" access="permitAll" />
 		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
 		<security:logout logout-url="/logout" />