Google OpenID Connect: Receiving a 500 error when supplying the “max_age” parameter to an authentication request

Question

As required by Google, we are attempting to finish our migration from Google\'s previous OpenID Authentication flow to the new OpenID Connect implementation. Everything has

Answer 1

As of this week, Google accepts the max_age parameter, and will return an auth_time claim in the ID Token when max_age is passed.

However, regardless of the value of max_time parameter, users won't be prompted to reauthenticate based on their session time, as that is not a pattern Google supports. Rather, users are asked to reauthenticate only when it is deemed necessary (e.g. the user is accessing their account from a new location).

If you need to reauthenticate users on your own site, you are encouraged to do so via another means.