From 46e3b460c122d40e7dddba3917e6120b12f93224 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20Oudot?= <clement@oodo.net>
Date: Wed, 25 Mar 2015 16:11:45 +0000
Subject: [PATCH] Check max_age request parameter for authenticated user (#184)

---
 .../NG/Portal/IssuerDBOpenIDConnect.pm        | 23 ++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBOpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBOpenIDConnect.pm
index 7681cd5d8..755e6cf46 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBOpenIDConnect.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBOpenIDConnect.pm
@@ -423,11 +423,28 @@ sub issuerForAuthUser {
             );
         }
 
-        my $prompt = $oidc_request->{'prompt'};
+        # Check if user needs to be reauthenticated
+        my $reauthentication = 0;
+        my $prompt           = $oidc_request->{'prompt'};
         if ( $prompt =~ /\blogin\b/ ) {
+            $self->lmLog(
+"Reauthentication requested by Relying Party in prompt parameter",
+                'debug'
+            );
+            $reauthentication = 1;
+        }
 
-            $self->lmLog( "Reauthentication requested by Relying Party",
-                'debug' );
+        my $max_age         = $oidc_request->{'max_age'};
+        my $_lastAuthnUTime = $self->{sessionInfo}->{_lastAuthnUTime};
+        if ( defined $max_age && time > $_lastAuthnUTime + $max_age ) {
+            $self->lmLog(
+"Reauthentication forced cause authentication time ($_lastAuthnUTime) is too old (>$max_age s)",
+                'debug'
+            );
+            $reauthentication = 1;
+        }
+
+        if ($reauthentication) {
 
             # Replay authentication process
             $self->{updateSession} = 1;