first cut (#329)

Author: leastprivilege

src/OidcClient/OidcClient.cs

@@ -234,16 +234,16 @@ public virtual async Task<LoginResult> ProcessResponseAsync(
                 }
             }
 
-            var user = ProcessClaims(result.User, userInfoClaims);
-
-            var authTimeValue = result.TokenResponse.TryGet(JwtClaimTypes.AuthenticationTime);
+            var authTimeValue = result.User.FindFirst(JwtClaimTypes.AuthenticationTime)?.Value;
             DateTimeOffset? authTime = null;
 
             if (authTimeValue.IsPresent() && long.TryParse(authTimeValue, out long seconds))
             {
                 authTime = DateTimeOffset.FromUnixTimeSeconds(seconds);
             }
 
+            var user = ProcessClaims(result.User, userInfoClaims);
+
             var loginResult = new LoginResult
             {
                 User = user,

test/OidcClient.Tests/CodeFlowResponseTests.cs

@@ -58,7 +58,8 @@ public async Task Valid_response_with_id_token_should_succeed()
             var url = $"?state={state.State}&code=bar";
             var idToken = Crypto.CreateJwt(null, "https://authority", "client",
                 new Claim("at_hash", Crypto.HashData("token")),
-                new Claim("sub", "123"));
+                new Claim("sub", "123"),
+                new Claim("auth_time", "123"));
 
             var tokenResponse = new Dictionary<string, object>
             {
@@ -77,6 +78,7 @@ public async Task Valid_response_with_id_token_should_succeed()
             result.AccessToken.Should().Be("token");
             result.IdentityToken.Should().NotBeNull();
             result.User.Should().NotBeNull();
+            result.AuthenticationTime.Should().Be(DateTimeOffset.FromUnixTimeSeconds(123));
 
             result.User.Claims.Count().Should().Be(1);
             result.User.Claims.First().Type.Should().Be("sub");