Include auth_time in ID token. Switch from upsert -> find_and_create_by so we actually get sid values for consent on the creation of the record

2025-12-31 16:36:32 +11:00
parent 364e6e21dd
commit 4b4afe277e
8 changed files with 256 additions and 78 deletions
--- a/app/controllers/concerns/authentication.rb
+++ b/app/controllers/concerns/authentication.rb
@@ -49,6 +49,9 @@ module Authentication
      user.sessions.create!(user_agent: request.user_agent, ip_address: request.remote_ip).tap do |session|
        Current.session = session

+        # Store auth_time in session for OIDC max_age support
+        session[:auth_time] = Time.now.to_i
+
        # Extract root domain for cross-subdomain cookies (required for forward auth)
        domain = extract_root_domain(request.host)