RE: [PROPOSAL] authentication age

Sun, 01 Oct 2006 00:39:39 -0700

Title: RE: [PROPOSAL] authentication age

I like this, though think minutes would be granular enough.  Just to clarify, since it took me reading it a few times...

Add an optional request parameter openid.auth_age which is a positive integer.  This parameter allows the relying party to request that if the identity provider has not renewed the session with the user in the past X minutes, that it do so at this time.  If left out of the request, it is assumed that a session of any age is acceptable for the transaction.  If 0, the RP is requesting authentication be done on this request no matter the age of the session.

Assuming this be added, it would have to be a MUST in the spec to be useful.

--David


-----Original Message-----
From: [EMAIL PROTECTED] on behalf of Dick Hardt
Sent: Sat 9/30/2006 5:04 PM
To: specs@openid.net
Subject: [PROPOSAL] authentication age

Motivating Use Case:
----------------------------

Different RPs will require different amounts of certainty about the 
user, and at times will have different requirements depending on what 
the user is doing. Eg. from existing web applications today. There is 
little concern when the user is getting personalized pages and a 
relatively old cookie may be adequate but the app will require the 
user to provide their password when changing their settings.

Proposed Implementation
-----------------------------------

New, optional parameter in the request, "openid.auth_age" where the 
value is the number of seconds (minutes?) since the user last 
provided credentials. If the it has been longer since then that the 
IdP authenticated the user, then the IdP MUST authenticate the user 
again. A value of zero (0) means that the IdP MUST prompt the user 
for credentials.

Issues
--------
There is no way to force an IdP to authenticate the user, but a 
"good" IdP implementation will follow the requests of the RP

_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


 

_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Reply via email to