auth_time claim inconsistent across SSO requests

[leodip]

Problem

When max_age is used in an authorization request, the OIDC conformance test CheckIdTokenAuthTimeClaimsSameIfPresent fails because two id_tokens from the same authentication session contain different auth_time values.

Test: oidc-max-age-10000 (OpenID Foundation conformance suite v5.1.39)

Steps to reproduce

1. Client sends authorization request with max_age=15000 — user authenticates with password
2. Client sends second authorization request with max_age=10000 — server reuses the existing session (SSO)
3. Compare auth_time in both id_tokens

Expected: Both id_tokens have the same auth_time (user only authenticated once).

Actual: The values differ by several seconds.

Root cause

In handler_auth_completed.go, the return values from BumpUserSession and StartNewUserSession are discarded:

_, err = userSessionManager.BumpUserSession(...)
_, err = userSessionManager.StartNewUserSession(...)

Since authContext.AuthenticatedAt is never set, code_issuer.go falls back to time.Now() at code creation time — several seconds after the session was actually created.

On the second request, the SSO path in handler_authorize.go correctly copies session.AuthTime into the id_token. This creates the mismatch:

• First id_token: auth_time = code creation time (T + N seconds)
• Second id_token: auth_time = session's original AuthTime (T)