Prevent infinite loop when max_age=0

DuendeSoftware · Apr 23, 2024 · 0e1fdab · 0e1fdab
1 parent 3527069
commit 0e1fdab
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/src/IdentityServer/ResponseHandling/Default/AuthorizeInteractionResponseGenerator.cs b/src/IdentityServer/ResponseHandling/Default/AuthorizeInteractionResponseGenerator.cs
@@ -244,6 +244,9 @@ protected internal virtual async Task<InteractionResponse> ProcessLoginAsync(Val
             var authTime = request.Subject.GetAuthenticationTime();
             if (Clock.UtcNow.UtcDateTime > authTime.AddSeconds(request.MaxAge.Value))
             {
+                // Remove the max_age parameter to prevent (infinite) loop
+                request.Raw.Remove("max_age");
+
                 Logger.LogInformation("Showing login: Requested MaxAge exceeded.");
 
                 return new InteractionResponse { IsLogin = true };