Keep old value of max_age when removed

DuendeSoftware · May 31, 2024 · 4058400 · 4058400
1 parent 26a15d9
commit 4058400
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 2 deletions.
diff --git a/src/IdentityServer/Constants.cs b/src/IdentityServer/Constants.cs
@@ -131,6 +131,12 @@ public static class SigningAlgorithms
     /// </summary>
     public const string ProcessedPrompt = "suppressed_" + OidcConstants.AuthorizeRequest.Prompt;
 
+    /// <summary>
+    /// The name of the parameter passed to the authorize callback to indicate
+    /// max age that have already been used.
+    /// </summary>
+    public const string ProcessedMaxAge = "suppressed_" + OidcConstants.AuthorizeRequest.MaxAge;
+
     public static class KnownAcrValues
     {
         public const string HomeRealm = "idp:";

diff --git a/src/IdentityServer/Extensions/ValidatedAuthorizeRequestExtensions.cs b/src/IdentityServer/Extensions/ValidatedAuthorizeRequestExtensions.cs
@@ -10,6 +10,7 @@
 using System.Security.Cryptography;
 using System.Text;
 using System.Collections.Specialized;
+using System.Globalization;
 
 #pragma warning disable 1591
 
@@ -49,6 +50,16 @@ public static void RemovePrompt(this ValidatedAuthorizeRequest request)
         }).ToArray();
     }
 
+    public static void RemoveMaxAge(this ValidatedAuthorizeRequest request)
+    {
+        request.Raw.Remove("max_age");
+
+        if (request.MaxAge.HasValue)
+        {
+            request.Raw.Add(Constants.ProcessedMaxAge, request.MaxAge.Value.ToString(CultureInfo.InvariantCulture));
+        }
+    }
+
     public static string GetPrefixedAcrValue(this ValidatedAuthorizeRequest request, string prefix)
     {
         var value = request.AuthenticationContextReferenceClasses

diff --git a/src/IdentityServer/ResponseHandling/Default/AuthorizeInteractionResponseGenerator.cs b/src/IdentityServer/ResponseHandling/Default/AuthorizeInteractionResponseGenerator.cs
@@ -244,8 +244,11 @@ protected internal virtual async Task<InteractionResponse> ProcessLoginAsync(Val
             var authTime = request.Subject.GetAuthenticationTime();
             if (Clock.UtcNow.UtcDateTime > authTime.AddSeconds(request.MaxAge.Value))
             {
-                // Remove the max_age parameter to prevent (infinite) loop
-                request.Raw.Remove("max_age");
+                // Remove the max_age=0 parameter to prevent (infinite) loop
+                if (request.MaxAge.Value == 0)
+                {
+                    request.RemoveMaxAge();
+                }
 
                 Logger.LogInformation("Showing login: Requested MaxAge exceeded.");