From 9c6b08d919eadc0278519da29e33d3a75f3222d1 Mon Sep 17 00:00:00 2001
From: Justin Richer <jricher@mitre.org>
Date: Tue, 16 Apr 2013 16:04:26 -0400
Subject: [PATCH] effectively removed auth_time calculations

---
 .../mitre/openid/connect/token/ConnectTokenEnhancer.java  | 8 +++++++-
 .../openid/connect/web/AuthenticationTimeStamper.java     | 4 ++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java
index ad5909005..fe77842d8 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java
@@ -115,13 +115,19 @@ public class ConnectTokenEnhancer implements TokenEnhancer {
 			JWTClaimsSet idClaims = new JWTClaimsSet();
 			
 			
+			//
+			// FIXME: storing the auth time in the session doesn't actually work, because we need access to it from the token endpoint when the user isn't present
+			//
+			
 			// get the auth time from the session
 			ServletRequestAttributes attr = (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes();
 			if (attr != null) {
 				HttpSession session = attr.getRequest().getSession();
 				if (session != null) {
 					Date authTime = (Date) session.getAttribute(AuthenticationTimeStamper.AUTH_TIMESTAMP);
-					idClaims.setClaim("auth_time", authTime.getTime() / 1000);
+					if (authTime != null) {
+						idClaims.setClaim("auth_time", authTime.getTime() / 1000);
+					}
 				}
 			}
 			
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/AuthenticationTimeStamper.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/AuthenticationTimeStamper.java
index a5924529e..7337e5cb7 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/AuthenticationTimeStamper.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/AuthenticationTimeStamper.java
@@ -39,6 +39,10 @@ public class AuthenticationTimeStamper extends SavedRequestAwareAuthenticationSu
 	@Override
 	public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
 
+		//
+		// FIXME: storing the auth time in the session doesn't actually work because we need access to it from the token endpoint when the user isn't present
+		//
+		
 		Date authTimestamp = new Date();
 		
 		HttpSession session = request.getSession();