diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java
index ad5909005..fe77842d8 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java
@@ -115,13 +115,19 @@ public class ConnectTokenEnhancer implements TokenEnhancer {
 			JWTClaimsSet idClaims = new JWTClaimsSet();
 			
 			
+			//
+			// FIXME: storing the auth time in the session doesn't actually work, because we need access to it from the token endpoint when the user isn't present
+			//
+			
 			// get the auth time from the session
 			ServletRequestAttributes attr = (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes();
 			if (attr != null) {
 				HttpSession session = attr.getRequest().getSession();
 				if (session != null) {
 					Date authTime = (Date) session.getAttribute(AuthenticationTimeStamper.AUTH_TIMESTAMP);
-					idClaims.setClaim("auth_time", authTime.getTime() / 1000);
+					if (authTime != null) {
+						idClaims.setClaim("auth_time", authTime.getTime() / 1000);
+					}
 				}
 			}
 			
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/AuthenticationTimeStamper.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/AuthenticationTimeStamper.java
index a5924529e..7337e5cb7 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/AuthenticationTimeStamper.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/AuthenticationTimeStamper.java
@@ -39,6 +39,10 @@ public class AuthenticationTimeStamper extends SavedRequestAwareAuthenticationSu
 	@Override
 	public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
 
+		//
+		// FIXME: storing the auth time in the session doesn't actually work because we need access to it from the token endpoint when the user isn't present
+		//
+		
 		Date authTimestamp = new Date();
 		
 		HttpSession session = request.getSession();