diff --git a/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java b/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java
index 765f233136..0bb485447a 100755
--- a/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java
+++ b/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java
@@ -331,11 +331,6 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
             uriBuilder.queryParam(OIDCLoginProtocol.LOGIN_HINT_PARAM, loginHint);
         }
 
-        String maxAge = request.getAuthenticationSession().getClientNote(OIDCLoginProtocol.MAX_AGE_PARAM);
-        if (getConfig().isPassMaxAge() && maxAge != null) {
-            uriBuilder.queryParam(OIDCLoginProtocol.MAX_AGE_PARAM, maxAge);
-        }
-
         if (getConfig().isUiLocales()) {
             uriBuilder.queryParam(OIDCLoginProtocol.UI_LOCALES_PARAM, session.getContext().resolveLocale(null).toLanguageTag());
         }
diff --git a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
index 9e4a1f5e63..7061b6550b 100755
--- a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
+++ b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
@@ -387,6 +387,20 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
 
         JsonWebToken idToken = validateToken(encodedIdToken);
 
+        if (getConfig().isPassMaxAge()) {
+            AuthenticationSessionModel authSession = session.getContext().getAuthenticationSession();
+
+            if (isAuthTimeExpired(idToken, authSession)) {
+                throw new IdentityBrokerException("User not re-authenticated by the target OpenID Provider");
+            }
+
+            Object authTime = idToken.getOtherClaims().get(IDToken.AUTH_TIME);
+
+            if (authTime != null) {
+                authSession.setClientNote(AuthenticationManager.AUTH_TIME_BROKER, authTime.toString());
+            }
+        }
+
         try {
             BrokeredIdentityContext identity = extractIdentity(tokenResponse, accessToken, idToken);
             
@@ -411,6 +425,25 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
         }
     }
 
+    protected boolean isAuthTimeExpired(JsonWebToken idToken, AuthenticationSessionModel authSession) {
+        String maxAge = authSession.getClientNote(OIDCLoginProtocol.MAX_AGE_PARAM);
+
+        if (maxAge == null) {
+            return false;
+        }
+
+        String authTime = idToken.getOtherClaims().getOrDefault(IDToken.AUTH_TIME, "0").toString();
+        int authTimeInt = authTime == null ? 0 : Integer.parseInt(authTime);
+        int maxAgeInt = Integer.parseInt(maxAge);
+
+        if (authTimeInt + maxAgeInt < Time.currentTime()) {
+            logger.debugf("Invalid auth_time claim. User not re-authenticated by the target OP.");
+            return true;
+        }
+
+        return false;
+    }
+
     private static final MediaType APPLICATION_JWT_TYPE = MediaType.valueOf("application/jwt");
 
     protected BrokeredIdentityContext extractIdentity(AccessTokenResponse tokenResponse, String accessToken, JsonWebToken idToken) throws IOException {
@@ -814,6 +847,12 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
         authenticationSession.setClientNote(BROKER_NONCE_PARAM, nonce);
         uriBuilder.queryParam(OIDCLoginProtocol.NONCE_PARAM, nonce);
 
+        String maxAge = request.getAuthenticationSession().getClientNote(OIDCLoginProtocol.MAX_AGE_PARAM);
+
+        if (getConfig().isPassMaxAge() && maxAge != null) {
+            uriBuilder.queryParam(OIDCLoginProtocol.MAX_AGE_PARAM, maxAge);
+        }
+
         return uriBuilder;
     }
 
diff --git a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
index 5813b7147e..6ae379611e 100755
--- a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
+++ b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
@@ -138,6 +138,10 @@ public class AuthenticationManager {
 
     // userSession note with authTime (time when authentication flow including requiredActions was finished)
     public static final String AUTH_TIME = "AUTH_TIME";
+
+    // authSession client note set during brokering indicating the time when the authentication happened at the IdP
+    public static final String AUTH_TIME_BROKER = "AUTH_TIME_BROKER";
+
     // clientSession note with flag that clientSession was authenticated through SSO cookie
     public static final String SSO_AUTH = "SSO_AUTH";
 
@@ -956,7 +960,7 @@ public class AuthenticationManager {
             clientSession.setNote(SSO_AUTH, "true");
             authSession.removeAuthNote(SSO_AUTH);
         } else {
-            int authTime = Time.currentTime();
+            int authTime = Optional.ofNullable(authSession.getClientNote(AUTH_TIME_BROKER)).map(Integer::parseInt).orElse(Time.currentTime());
             userSession.setNote(AUTH_TIME, String.valueOf(authTime));
             clientSession.removeNote(SSO_AUTH);
         }
diff --git a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/broker/oidc/TestKeycloakOidcIdentityProviderFactory.java b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/broker/oidc/TestKeycloakOidcIdentityProviderFactory.java
new file mode 100644
index 0000000000..6a062bb396
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/broker/oidc/TestKeycloakOidcIdentityProviderFactory.java
@@ -0,0 +1,68 @@
+/*
+ * Copyright 2022 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.testsuite.broker.oidc;
+
+import javax.ws.rs.core.UriBuilder;
+import org.keycloak.broker.oidc.KeycloakOIDCIdentityProvider;
+import org.keycloak.broker.oidc.KeycloakOIDCIdentityProviderFactory;
+import org.keycloak.broker.oidc.OIDCIdentityProviderConfig;
+import org.keycloak.broker.provider.AuthenticationRequest;
+import org.keycloak.models.IdentityProviderModel;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.protocol.oidc.OIDCLoginProtocol;
+import org.keycloak.representations.idm.IdentityProviderRepresentation;
+import org.keycloak.sessions.AuthenticationSessionModel;
+
+public class TestKeycloakOidcIdentityProviderFactory extends KeycloakOIDCIdentityProviderFactory {
+
+    public static final String ID = "test-keycloak-oidc";
+    public static final String IGNORE_MAX_AGE_PARAM = "ignore-max-age-param";
+
+    public static void setIgnoreMaxAgeParam(IdentityProviderRepresentation rep) {
+        rep.getConfig().put(IGNORE_MAX_AGE_PARAM, Boolean.TRUE.toString());
+    }
+
+    @Override
+    public String getId() {
+        return ID;
+    }
+
+    @Override
+    public KeycloakOIDCIdentityProvider create(KeycloakSession session, IdentityProviderModel model) {
+        return new KeycloakOIDCIdentityProvider(session, new OIDCIdentityProviderConfig(model)) {
+            @Override
+            protected UriBuilder createAuthorizationUrl(AuthenticationRequest request) {
+                AuthenticationSessionModel authSession = request.getAuthenticationSession();
+                String maxAge = authSession.getClientNote(OIDCLoginProtocol.MAX_AGE_PARAM);
+
+                try {
+                    if (isIgnoreMaxAgeParam()) {
+                        authSession.removeClientNote(OIDCLoginProtocol.MAX_AGE_PARAM);
+                    }
+                    return super.createAuthorizationUrl(request);
+                } finally {
+                    authSession.setClientNote(OIDCLoginProtocol.MAX_AGE_PARAM, maxAge);
+                }
+            }
+
+            private boolean isIgnoreMaxAgeParam() {
+                return Boolean.parseBoolean(model.getConfig().getOrDefault(IGNORE_MAX_AGE_PARAM, Boolean.FALSE.toString()));
+            }
+        };
+    }
+}
diff --git a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/resources/META-INF/services/org.keycloak.broker.provider.IdentityProviderFactory b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/resources/META-INF/services/org.keycloak.broker.provider.IdentityProviderFactory
index 436e93e367..8f3523dbbe 100644
--- a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/resources/META-INF/services/org.keycloak.broker.provider.IdentityProviderFactory
+++ b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/resources/META-INF/services/org.keycloak.broker.provider.IdentityProviderFactory
@@ -15,4 +15,5 @@
 # limitations under the License.
 #
 
-org.keycloak.testsuite.broker.oidc.LegacyIdIdentityProviderFactory
\ No newline at end of file
+org.keycloak.testsuite.broker.oidc.LegacyIdIdentityProviderFactory
+org.keycloak.testsuite.broker.oidc.TestKeycloakOidcIdentityProviderFactory
\ No newline at end of file
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerPassMaxAgeTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerPassMaxAgeTest.java
index f7ae09d6db..a240ea2f0c 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerPassMaxAgeTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerPassMaxAgeTest.java
@@ -2,15 +2,17 @@ package org.keycloak.testsuite.broker;
 
 import org.junit.Ignore;
 import org.junit.Test;
+import org.keycloak.OAuth2Constants;
+import org.keycloak.admin.client.resource.IdentityProviderResource;
 import org.keycloak.models.IdentityProviderModel;
 import org.keycloak.models.IdentityProviderSyncMode;
 import org.keycloak.representations.idm.IdentityProviderRepresentation;
 import org.keycloak.testsuite.Assert;
+import org.keycloak.testsuite.broker.oidc.TestKeycloakOidcIdentityProviderFactory;
 
 import java.util.Map;
 
 import static org.keycloak.testsuite.broker.BrokerTestConstants.IDP_OIDC_ALIAS;
-import static org.keycloak.testsuite.broker.BrokerTestConstants.IDP_OIDC_PROVIDER_ID;
 import static org.keycloak.testsuite.broker.BrokerTestTools.createIdentityProvider;
 import static org.keycloak.testsuite.broker.BrokerTestTools.getConsumerRoot;
 import static org.keycloak.testsuite.broker.BrokerTestTools.waitForPage;
@@ -31,13 +33,13 @@ public class KcOidcBrokerPassMaxAgeTest extends AbstractBrokerTest {
         
         @Override
         public IdentityProviderRepresentation setUpIdentityProvider(IdentityProviderSyncMode syncMode) {
-            IdentityProviderRepresentation idp = createIdentityProvider(IDP_OIDC_ALIAS, IDP_OIDC_PROVIDER_ID);
+            IdentityProviderRepresentation idp = createIdentityProvider(IDP_OIDC_ALIAS, TestKeycloakOidcIdentityProviderFactory.ID);
 
             Map<String, String> config = idp.getConfig();
             applyDefaultConfiguration(config, syncMode);
             config.put(IdentityProviderModel.LOGIN_HINT, "false");
-
             config.put(IdentityProviderModel.PASS_MAX_AGE, "true");
+            config.remove(OAuth2Constants.PROMPT);
 
             return idp;
         }
@@ -92,4 +94,49 @@ public class KcOidcBrokerPassMaxAgeTest extends AbstractBrokerTest {
 
         testSingleLogout();
     }
+
+    @Test
+    public void testEnforceReAuthenticationWhenMaxAgeIsSet() {
+        // login as brokered user user, perform profile update on first broker login and logout user
+        loginUser();
+        testSingleLogout();
+
+        driver.navigate().to(getAccountUrl(getConsumerRoot(), bc.consumerRealmName()));
+        loginPage.clickSocial(bc.getIDPAlias());
+        waitForPage(driver, "sign in to", true);
+        Assert.assertTrue("Driver should be on the provider realm page right now",
+                driver.getCurrentUrl().contains("/auth/realms/" + bc.providerRealmName() + "/"));
+
+        loginPage.login(bc.getUserLogin(), bc.getUserPassword());
+        accountUpdateProfilePage.assertCurrent();
+
+        IdentityProviderResource idpResource = realmsResouce().realm(bc.consumerRealmName()).identityProviders()
+                .get(bc.getIDPAlias());
+        IdentityProviderRepresentation idpRep = idpResource.toRepresentation();
+
+        TestKeycloakOidcIdentityProviderFactory.setIgnoreMaxAgeParam(idpRep);
+
+        idpResource.update(idpRep);
+
+        setTimeOffset(2);
+
+        // trigger re-auth with max_age while we are still authenticated
+        String loginUrlWithMaxAge = getLoginUrl(getConsumerRoot(), bc.consumerRealmName(), "account") + "&max_age=1";
+        driver.navigate().to(loginUrlWithMaxAge);
+
+        // we should now see the login page of the consumer
+        waitForPage(driver, "sign in to", true);
+        loginPage.assertCurrent(bc.consumerRealmName());
+        Assert.assertTrue("Driver should be on the consumer realm page right now",
+                driver.getCurrentUrl().contains("/auth/realms/" + bc.consumerRealmName() + "/protocol/openid-connect/auth"));
+
+        loginPage.clickSocial(bc.getIDPAlias());
+        // we should see the login page of the provider, since the max_age was propagated
+        waitForPage(driver, "sign in to", true);
+        loginPage.getError();
+        Assert.assertEquals("Unexpected error when authenticating with identity provider",
+                loginPage.getInstruction());
+
+        testSingleLogout();
+    }
 }