Fix auth_time claim should represent authentication time

Closes gh-18282

Author: jgrandja

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcTests.java

@@ -60,6 +60,7 @@
 import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.session.SessionRegistry;
 import org.springframework.security.core.session.SessionRegistryImpl;
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
@@ -210,7 +211,8 @@ public void requestWhenAuthenticationRequestThenTokenResponseIncludesIdToken() t
 				registeredClient);
 		MvcResult mvcResult = this.mvc
 			.perform(get(DEFAULT_AUTHORIZATION_ENDPOINT_URI).queryParams(authorizationRequestParameters)
-				.with(user("user").roles("A", "B")))
+				.with(user("user").roles("A", "B")
+					.authorities(FactorGrantedAuthority.fromAuthority(FactorGrantedAuthority.PASSWORD_AUTHORITY))))
 			.andExpect(status().is3xxRedirection())
 			.andReturn();
 		String redirectedUrl = mvcResult.getResponse().getRedirectedUrl();
@@ -270,7 +272,8 @@ public void requestWhenRefreshTokenRequestThenIdTokenContainsSidClaim() throws E
 				registeredClient);
 		MvcResult mvcResult = this.mvc
 			.perform(get(DEFAULT_AUTHORIZATION_ENDPOINT_URI).queryParams(authorizationRequestParameters)
-				.with(user("user").roles("A", "B")))
+				.with(user("user").roles("A", "B")
+					.authorities(FactorGrantedAuthority.fromAuthority(FactorGrantedAuthority.PASSWORD_AUTHORITY))))
 			.andExpect(status().is3xxRedirection())
 			.andReturn();
 		String redirectedUrl = mvcResult.getResponse().getRedirectedUrl();
@@ -335,7 +338,8 @@ public void requestWhenLogoutRequestThenLogout() throws Exception {
 				registeredClient);
 		MvcResult mvcResult = this.mvc
 			.perform(get(issuer.concat(DEFAULT_AUTHORIZATION_ENDPOINT_URI)).queryParams(authorizationRequestParameters)
-				.with(user("user")))
+				.with(user("user")
+					.authorities(FactorGrantedAuthority.fromAuthority(FactorGrantedAuthority.PASSWORD_AUTHORITY))))
 			.andExpect(status().is3xxRedirection())
 			.andReturn();
 
@@ -388,7 +392,8 @@ public void requestWhenLogoutRequestWithOtherUsersIdTokenThenNotLogout() throws
 				registeredClient1);
 		MvcResult mvcResult = this.mvc
 			.perform(get(DEFAULT_AUTHORIZATION_ENDPOINT_URI).queryParams(authorizationRequestParameters)
-				.with(user("user1")))
+				.with(user("user1")
+					.authorities(FactorGrantedAuthority.fromAuthority(FactorGrantedAuthority.PASSWORD_AUTHORITY))))
 			.andExpect(status().is3xxRedirection())
 			.andReturn();
 
@@ -424,7 +429,8 @@ public void requestWhenLogoutRequestWithOtherUsersIdTokenThenNotLogout() throws
 		authorizationRequestParameters = getAuthorizationRequestParameters(registeredClient2);
 		mvcResult = this.mvc
 			.perform(get(DEFAULT_AUTHORIZATION_ENDPOINT_URI).queryParams(authorizationRequestParameters)
-				.with(user("user2")))
+				.with(user("user2")
+					.authorities(FactorGrantedAuthority.fromAuthority(FactorGrantedAuthority.PASSWORD_AUTHORITY))))
 			.andExpect(status().is3xxRedirection())
 			.andReturn();
 
@@ -497,7 +503,8 @@ public void requestWhenAuthenticationRequestWithOfflineAccessScopeThenTokenRespo
 				registeredClient);
 		MvcResult mvcResult = this.mvc
 			.perform(get(DEFAULT_AUTHORIZATION_ENDPOINT_URI).queryParams(authorizationRequestParameters)
-				.with(user("user")))
+				.with(user("user")
+					.authorities(FactorGrantedAuthority.fromAuthority(FactorGrantedAuthority.PASSWORD_AUTHORITY))))
 			.andExpect(status().is3xxRedirection())
 			.andReturn();
 		String redirectedUrl = mvcResult.getResponse().getRedirectedUrl();
@@ -537,7 +544,8 @@ public void requestWhenAuthenticationRequestWithoutOfflineAccessScopeThenTokenRe
 				registeredClient);
 		MvcResult mvcResult = this.mvc
 			.perform(get(DEFAULT_AUTHORIZATION_ENDPOINT_URI).queryParams(authorizationRequestParameters)
-				.with(user("user")))
+				.with(user("user")
+					.authorities(FactorGrantedAuthority.fromAuthority(FactorGrantedAuthority.PASSWORD_AUTHORITY))))
 			.andExpect(status().is3xxRedirection())
 			.andReturn();
 		String redirectedUrl = mvcResult.getResponse().getRedirectedUrl();

oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/token/JwtGenerator.java

@@ -24,6 +24,9 @@
 import java.util.UUID;
 
 import org.springframework.lang.Nullable;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.session.SessionInformation;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.OAuth2AccessToken;
@@ -141,7 +144,7 @@ else if (OidcParameterNames.ID_TOKEN.equals(context.getTokenType().getValue()))
 				SessionInformation sessionInformation = context.get(SessionInformation.class);
 				if (sessionInformation != null) {
 					claimsBuilder.claim("sid", sessionInformation.getSessionId());
-					claimsBuilder.claim(IdTokenClaimNames.AUTH_TIME, sessionInformation.getLastRequest());
+					claimsBuilder.claim(IdTokenClaimNames.AUTH_TIME, getAuthenticationTime(context.getPrincipal()));
 				}
 			}
 			else if (AuthorizationGrantType.REFRESH_TOKEN.equals(context.getAuthorizationGrantType())) {
@@ -222,4 +225,17 @@ public void setClock(Clock clock) {
 		this.clock = clock;
 	}
 
+	static Date getAuthenticationTime(Authentication authentication) {
+		Instant authenticationTime = null;
+		for (GrantedAuthority grantedAuthority : authentication.getAuthorities()) {
+			if (grantedAuthority instanceof FactorGrantedAuthority factorGrantedAuthority) {
+				if (authenticationTime == null || factorGrantedAuthority.getIssuedAt().isAfter(authenticationTime)) {
+					authenticationTime = factorGrantedAuthority.getIssuedAt();
+				}
+			}
+		}
+		Assert.notNull(authenticationTime, "authenticationTime cannot be null");
+		return Date.from(authenticationTime);
+	}
+
 }

oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/TestOAuth2Authorizations.java

@@ -24,6 +24,9 @@
 import java.util.Map;
 
 import org.springframework.security.authentication.TestingAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.authority.FactorGrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.OAuth2AccessToken;
 import org.springframework.security.oauth2.core.OAuth2RefreshToken;
@@ -85,6 +88,9 @@ private static OAuth2Authorization.Builder authorization(RegisteredClient regist
 			.additionalParameters(authorizationRequestAdditionalParameters)
 			.state("state")
 			.build();
+		Authentication principal = new TestingAuthenticationToken("principal", null,
+				new SimpleGrantedAuthority("ROLE_A"), new SimpleGrantedAuthority("ROLE_B"),
+				FactorGrantedAuthority.fromAuthority(FactorGrantedAuthority.PASSWORD_AUTHORITY));
 		OAuth2Authorization.Builder builder = OAuth2Authorization.withRegisteredClient(registeredClient)
 			.id("id")
 			.principalName("principal")
@@ -93,8 +99,7 @@ private static OAuth2Authorization.Builder authorization(RegisteredClient regist
 			.token(authorizationCode)
 			.attribute(OAuth2ParameterNames.STATE, "consent-state")
 			.attribute(OAuth2AuthorizationRequest.class.getName(), authorizationRequest)
-			.attribute(Principal.class.getName(),
-					new TestingAuthenticationToken("principal", null, "ROLE_A", "ROLE_B"));
+			.attribute(Principal.class.getName(), principal);
 		if (accessToken != null) {
 			OAuth2RefreshToken refreshToken = new OAuth2RefreshToken("refresh-token", Instant.now(),
 					Instant.now().plus(1, ChronoUnit.HOURS));

oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/token/JwtGeneratorTests.java

@@ -363,7 +363,7 @@ private void assertGeneratedTokenType(OAuth2TokenContext tokenContext, Clock clo
 				SessionInformation sessionInformation = tokenContext.get(SessionInformation.class);
 				assertThat(jwtClaimsSet.<String>getClaim("sid")).isEqualTo(sessionInformation.getSessionId());
 				assertThat(jwtClaimsSet.<Date>getClaim(IdTokenClaimNames.AUTH_TIME))
-					.isEqualTo(sessionInformation.getLastRequest());
+					.isEqualTo(JwtGenerator.getAuthenticationTime(tokenContext.getPrincipal()));
 			}
 			else if (tokenContext.getAuthorizationGrantType().equals(AuthorizationGrantType.REFRESH_TOKEN)) {
 				OidcIdToken currentIdToken = tokenContext.getAuthorization().getToken(OidcIdToken.class).getToken();