[Openid-specs-ab] Simplifying preferred_locales and max_age

Torsten Lodderstedt torsten at lodderstedt.net
Sat Feb 2 10:09:25 UTC 2013


Hi John,

where is the difference (from a security perspective) between query parameters and a request object sent with signature alg "none"?

regards,
Torsten.

Am 02.02.2013 um 01:09 schrieb John Bradley <ve7jtb at ve7jtb.com>:

> For max_age you don't necessarily want the user to be able to modify that in the request, that might cause security issues if auth_time is not required in the response, the RP may be thinking it is getting a stronger authentication than it is in reality.


More information about the Openid-specs-ab mailing list