[Openid-specs-ab] Simplifying preferred_locales and max_age
torsten at lodderstedt.net
Sat Feb 2 10:09:25 UTC 2013
where is the difference (from a security perspective) between query parameters and a request object sent with signature alg "none"?
Am 02.02.2013 um 01:09 schrieb John Bradley <ve7jtb at ve7jtb.com>:
> For max_age you don't necessarily want the user to be able to modify that in the request, that might cause security issues if auth_time is not required in the response, the RP may be thinking it is getting a stronger authentication than it is in reality.
More information about the Openid-specs-ab