I'm using the oidc-client-js library to handle OIDC redirect SSO style authentication against our IdentityServer4 implementation from an angular app. The IdToken/Cookie in the app is good for a 1+ days. The access token lifetime is shorter and does silent refreshes. There could be times where the app is left up and running without the user having to login in again which is what we want, but there may be specific areas in the app where we would like to verify the user's identity due to sensitive data.
I see that doing this via just having the app ask for the password again and doing a ResourceOwner grant style password validation is not yet supported by the library. I don't mind using the existing popUpRedirect with the prompt request setting for force a login. What I'm stuck on is I don't see anywhere (at least documented) where the timestamp of the last user login happened. Ex. If the user logged on in the last 5 minutes then sensitive data access is okay.
Before everyone chimes in I'm not looking for the access token timestamp or expiration. Our access tokens are being refreshed silently without user intervention so that doesn't help. Am I looking for a timestamp on the IdToken? Does the library expose that? Or am I going about this process all wrong? Thanks in advance.
