At 10:43 PM -0700 6/30/09, Dick Hardt wrote:
So if the user has authenticated 55 seconds ago, but take 6 seconds to click the continue button, then the user will be presented with a login screen after clicking the continue button which tells them they will be sent to the RP. Jarring user experience. I would suggest we think this through.
Countdown button showing the remaining seconds to click before the option is grayed-out?
At 11:04 PM -0700 6/30/09, Allen Tom wrote:
- OPs which use passwords to authenticate the user should re-prompt for the password (it's OK to pre-fill the userid in the Login form)
Some browsers (or extensions thereof) will also pre-fill the password field. Out of scope for OpenID, but nice to be aware of. (I try to break this behavior by adding random characters to the input field's name each time it's generated, and then only looking at the first part of its name to identify it. I suspect user appreciation for this "feature" is not high.)
- Ideally, the user's IP address should not change between the time the user authenticated and when the assertion is generated. (this is less important, but nice to have)
OpenID presumes a certain network architecture, then? OP's won't be reachable through proxies or any weirdness that guarantees the admins they only need to expect connections from an internal IP address? Users won't be connecting through a mixer or any other weirdness that assigns a different external IP address to every outgoing connection?
At 11:08 PM -0700 6/30/09, Dirk Balfanz wrote:
Let's say Amazon decides that X=30 seconds. If Amazon really believes the statement above with X=30 seconds, then there is no need for them to ask for reauthentication in every case. They should only ask for reauthentication if the session is older than 30 seconds. In other words, the only sensible thing for Amazon to send to the OP is max_auth_age=30, not max_auth_age=0, or some new special PAPE policy.
What if Amazon wants X=30 seconds for some cases and X=10 seconds for others?
Now, what should the OP return? The OP abides by Amazon's wishes and re-authenticates the user if the user's session is older than 30 seconds. But then the user gets distracted or whatnot, so when the user actually returns to Amazon, the login session at this point is 2 minutes old. Amazon needs to know this because their policy is to only allow sessions that are no more than 30 seconds old. So the OP actually needs to tell the RP the age of the user's login session.
I don't think so. It seems like the RP only needs a TRUE/FALSE statement.
To summarize, knowing that the OP met the RP's policy (reauthenticated the user) _doesn't_ buy the RP anything (the user session could still be too old by the time the user returns to the OP).
I think I understand now: the OP would be providing a direct link to the RP, which the user would click on after they'd been authenticated. But it's possible for the OP to link back to itself, providing an immediate redirect as per the next link in an OpenID chain - but only *if* the user were still meeting that policy.
-Shade _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
