Google OpenID Connect: Receiving a 500 error when supplying the “max_age” parameter to an authentication request

Question

As required by Google, we are attempting to finish our migration from Google\'s previous OpenID Authentication flow to the new OpenID Connect implementation. Everything has

Answer 1

As of this week, Google accepts the max_age parameter, and will return an auth_time claim in the ID Token when max_age is passed.

However, regardless of the value of max_time parameter, users won't be prompted to reauthenticate based on their session time, as that is not a pattern Google supports. Rather, users are asked to reauthenticate only when it is deemed necessary (e.g. the user is accessing their account from a new location).

If you need to reauthenticate users on your own site, you are encouraged to do so via another means.

Answer 2

Google does not honor the max_age parameter and may be considered to be outside of the spec on that one. Yet they have sound reasoning for it (see: http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20150323/005445.html) that boils down to the fact that they don't want the RP to take full control over re-authentication with a "one size fits all" feature and some additional security considerations.

I'm hoping someone from Google will reply here as well with their plans going forward but for now there's nothing that you can do about it.