Support max_age parameter for OAuth2 authorization server

[chrylis]

Pending #6320, I have an application where the OICD max_age parameter would be useful to have for forcing re-authentication before a sensitive operation. I'd like to include this feature in the new support.

[rwinch]

Thanks for reaching out. Are you looking to provide this via the authorization server or the client (or both)?

[chrylis]

To my knowledge, this is a server-based operation; the client calls authorize and requests a specific limit on the time since the last active authentication (in many cases, zero to force a reauthentication for some specific operation such as a crypto withdrawal). I suppose that some sort of API support in the client could be useful, but at this point I don't have the experience I'd need to know what would be ergonomically appropriate.

[jgrandja]

The Spring Security team has decided to no longer provide support for Authorization Servers.

Please see the latest announcement on Spring Security OAuth 2.0 Roadmap Update.