auth_time is now tracked, addresses #288

openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java

@@ -116,20 +116,9 @@ public class ConnectTokenEnhancer implements TokenEnhancer {
 			JWTClaimsSet idClaims = new JWTClaimsSet();
 
 
-			//
+			if (authentication.getOAuth2Request().getExtensions().containsKey(AuthenticationTimeStamper.AUTH_TIMESTAMP)) {
-			// FIXME: storing the auth time in the session doesn't actually work, because we need access to it from the token endpoint when the user isn't present
+				Date authTime = (Date) authentication.getOAuth2Request().getExtensions().get(AuthenticationTimeStamper.AUTH_TIMESTAMP);
-			//
+				idClaims.setClaim("auth_time", authTime.getTime() / 1000);
-
-			// get the auth time from the session
-			ServletRequestAttributes attr = (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes();
-			if (attr != null) {
-				HttpSession session = attr.getRequest().getSession();
-				if (session != null) {
-					Date authTime = (Date) session.getAttribute(AuthenticationTimeStamper.AUTH_TIMESTAMP);
-					if (authTime != null) {
-						idClaims.setClaim("auth_time", authTime.getTime() / 1000);
-					}
-				}
 			}
 			
 			idClaims.setIssueTime(claims.getIssueTime());

openid-connect-server/src/main/java/org/mitre/openid/connect/token/TofuUserApprovalHandler.java

@@ -22,10 +22,13 @@ import java.util.Date;
 import java.util.Map;
 import java.util.Set;
 
+import javax.servlet.http.HttpSession;
+
 import org.mitre.openid.connect.model.ApprovedSite;
 import org.mitre.openid.connect.model.WhitelistedSite;
 import org.mitre.openid.connect.service.ApprovedSiteService;
 import org.mitre.openid.connect.service.WhitelistedSiteService;
+import org.mitre.openid.connect.web.AuthenticationTimeStamper;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.provider.AuthorizationRequest;
@@ -33,6 +36,8 @@ import org.springframework.security.oauth2.provider.ClientDetails;
 import org.springframework.security.oauth2.provider.ClientDetailsService;
 import org.springframework.security.oauth2.provider.approval.UserApprovalHandler;
 import org.springframework.stereotype.Component;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
 
 import com.google.common.base.Strings;
 import com.google.common.collect.Sets;
@@ -138,6 +143,8 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
 						authorizationRequest.getExtensions().put("approved_site", ap.getId());
 						authorizationRequest.setApproved(true);
 						alreadyApproved = true;
+						
+						setAuthTime(authorizationRequest);
 					}
 				}
 			}
@@ -150,6 +157,8 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
 					ApprovedSite newSite = approvedSiteService.createApprovedSite(clientId, userId, null, ws.getAllowedScopes(), ws);
 					authorizationRequest.getExtensions().put("approved_site", newSite.getId());
 					authorizationRequest.setApproved(true);
+					
+					setAuthTime(authorizationRequest);
 				}
 			}
 		}
@@ -213,11 +222,34 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
 				authorizationRequest.getExtensions().put("approved_site", newSite.getId());
 			}
 			
+			setAuthTime(authorizationRequest);
+
+
 		}
 
 		return authorizationRequest;
 	}
 
+	/**
+	 * Get the auth time out of the current session and add it to the 
+	 * auth request in the extensions map.
+	 * 
+	 * @param authorizationRequest
+	 */
+	private void setAuthTime(AuthorizationRequest authorizationRequest) {
+		// Get the session auth time, if we have it, and store it in the request
+		ServletRequestAttributes attr = (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes();
+		if (attr != null) {
+			HttpSession session = attr.getRequest().getSession();
+			if (session != null) {
+				Date authTime = (Date) session.getAttribute(AuthenticationTimeStamper.AUTH_TIMESTAMP);
+				if (authTime != null) {
+					authorizationRequest.getExtensions().put(AuthenticationTimeStamper.AUTH_TIMESTAMP, authTime);
+				}
+			}
+		}
+	}
+
 	/**
 	 * Check whether the requested scope set is a proper subset of the allowed scopes.
 	 * 

openid-connect-server/src/main/java/org/mitre/openid/connect/web/AuthenticationTimeStamper.java

@@ -49,15 +49,12 @@ public class AuthenticationTimeStamper extends SavedRequestAwareAuthenticationSu
 
 	/**
 	 * Set the timestamp on the session to mark when the authentication happened,
-	 * useful for calculating authentication age.
+	 * useful for calculating authentication age. This gets stored in the sesion
+	 * and can get pulled out by other components.
 	 */
 	@Override
 	public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
 
-		//
-		// FIXME: storing the auth time in the session doesn't actually work because we need access to it from the token endpoint when the user isn't present
-		//
-
 		Date authTimestamp = new Date();
 
 		HttpSession session = request.getSession();