oidc.rb in rodauth-oauth-0.9.3

- old
+ new

@@ -72,10 +72,11 @@
     auth_value_method :oauth_applications_userinfo_encrypted_response_alg_column, :userinfo_encrypted_response_alg
     auth_value_method :oauth_applications_userinfo_encrypted_response_enc_column, :userinfo_encrypted_response_enc
 
     auth_value_method :oauth_grants_nonce_column, :nonce
     auth_value_method :oauth_tokens_nonce_column, :nonce
+    auth_value_method :oauth_tokens_auth_time_column, :auth_time
 
     translatable_method :invalid_scope_message, "The Access Token expired"
 
     auth_value_method :webfinger_relation, "http://openid.net/specs/connect/1.0/issuer"
 
@@ -339,12 +340,11 @@
       id_token_claims = jwt_claims(oauth_token)
       id_token_claims[:nonce] = oauth_token[oauth_tokens_nonce_column] if oauth_token[oauth_tokens_nonce_column]
 
       # Time when the End-User authentication occurred.
       #
-      # Sounds like the same as issued at claim.
-      id_token_claims[:auth_time] = id_token_claims[:iat]
+      id_token_claims[:auth_time] = oauth_token[oauth_tokens_auth_time_column].to_i
 
       account = db[accounts_table].where(account_id_column => oauth_token[oauth_tokens_account_id_column]).first
 
       # this should never happen!
       # a newly minted oauth token from a grant should have been assigned to an account
@@ -486,10 +486,10 @@
           oidc_claims = OIDC_SCOPES_MAP[oidc]
           claims.concat(oidc_claims) if oidc_claims
         end
       end
 
-      scope_claims.unshift("auth_time") if last_account_login_at
+      scope_claims.unshift("auth_time")
 
       response_types_supported = metadata[:response_types_supported]
 
       if metadata[:grant_types_supported].include?("implicit")
         response_types_supported += ["none", "id_token", "code token", "code id_token", "id_token token", "code id_token token"]