auth_time_from_session instead of auth_time_from_resource_owner

[nhosoya]

To implement auth_time correctly, I propose auth_time_from_session

Details

The auth_time_from_resource_owner is designed to get the authentication time from the object of the resource_owner.
In many cases, developers are likely to implement getting the last login time of the resource owner from the Database.
This is also implied by the sample implementation of the template.

doorkeeper-openid_connect/lib/generators/doorkeeper/openid_connect/templates/initializer.rb

Lines 21 to 24 in bd68459

	auth_time_from_resource_owner do |resource_owner|
	# Example implementation:
	# resource_owner.current_sign_in_at
	end

The authentication time stored in the database will be overwritten when the user sign in with another session.
Therefore, this leads to an insecure specification.
For example, if a user sign in 12 hours ago on PC browser and 1 hour ago on smartphone browser, and the user do the OIDC flow on PC, auth_time will be the time 1 hour ago. However auth_time should be the time the user logged in on your PC.
Even if RelyingParty requires that the user authenticate within 6 hours using max_age, it will not re-authenticate.

Proposal

To solve this, my idea is as follows.

Add auth_time_from_session as a config instead of auth_time_from_resource_owner.

The handle_oidc_max_age_param will also be able to correctly determine for each session if it should be re-authenticated.
And, when creating an openid_request, get the auth_time from the session and store the time in the DB with the nonce. This way, the authorization code and auth_time will be bound. Then, it will be possible to return the auth_time associated with the specified authorization code in the token request.