pape.auth_time versus pape.auth_age
The PHP library (and examples) from openidenabled.com currently return in the Auth_OpenID_PAPE_Response function pape.max_auth_age. Reading the specs from http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-02.html#anchor10 this should be however pape.auth_time. The sample consumer seems to be happy with that, but I think this to be a mistake... Can somebody confirm that sending pape.max_auth_age is wrong and it should be pape.auth_time instead? -- Regards Signer: Eddy Nigg, StartCom Ltd. http://www.startcom.org Jabber: [EMAIL PROTECTED] xmpp:[EMAIL PROTECTED] Blog: Join the Revolution! http://blog.startcom.org Phone: +1.213.341.0390 ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: [OpenID] pape.auth_time versus pape.auth_age
Can somebody confirm that sending pape.max_auth_age is wrong and it should be pape.auth_time instead? Hi Eddy, The PHP library implements Draft 1 of PAPE, not Draft 2. The same is true of the other openidenabled.com implementations. -- Jonathan Daugherty ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: [OpenID] pape.auth_time versus pape.auth_age
Jonathan and Martin, thanks a lot for clearing this. I wasn't aware that there is already a second draft (should look more carefully next time ;-) ). Now, since there isn't a way to differentiate between drafts (i.e. the policy URL is http://specs.openid.net/extensions/pape/1.0 until the final), what is the best suggestion for implementation? Going for draft 1 or 2? Most likely RPs will not understand one or the other... BTW, what's the time frame for the final version? Any estimates? Martin Paljak wrote: On Feb 2, 2008, at 6:46 PM, Eddy Nigg (StartCom Ltd.) wrote: Can somebody confirm that sending pape.max_auth_age is wrong and it should be pape.auth_time instead? max_auth_age should be the time in seconds from last authentication in the PAPE *request*. AFAIK Draft 1 had auth_time as 'seconds passed from last authentication', Draft 2 has auth_time as 'the timestamp of the last authentication' m. -- Regards Signer: Eddy Nigg, StartCom Ltd. http://www.startcom.org Jabber: [EMAIL PROTECTED] xmpp:[EMAIL PROTECTED] Blog: Join the Revolution! http://blog.startcom.org Phone: +1.213.341.0390 ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: OpenID 3.0
On 02/02/2008, Eddy Nigg (StartCom Ltd.) [EMAIL PROTECTED] wrote: Yes, I also wonder why the IDP can't just return the ID. As of now I think it's two steps for this, with the RP explicit requesting it? Or am I wrong with that? When used in directed identity mode, the OP can pick the identity: http://openid.net/specs/openid-authentication-2_0.html#responding_to_authentication Of course, the OP is restricted to returning identities that it is authoritative for. This is what allows any yahoo user to enter yahoo.com as their OpenID identifier while still letting RPs tell them apart. My point was that in cases where you do want to limit things to a single OP, it is worth considering this mode, since it does not require the user to enter any credentials (username or password) at the RP site. James. ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs