[Openid-specs-mobile-profile] Issue #144: clients may want to influence lifetime of auth_req_id (openid/mobile)

Joseph Heenan issues-reply at bitbucket.org
Wed Dec 26 03:20:49 UTC 2018

New issue 144: clients may want to influence lifetime of auth_req_id

Joseph Heenan:

currently it seems the AS alone is responsible for deciding on the expires_in value for auth_req_id.

Talking through possible use cases it seems like often the client is going to have a better idea on what a useful auth_req_id lifetime might be. For example, if the user is trying to make an immediate payment in a store, an auth_req_id expiry is likely to be single-digit minutes.

If the client is trying to schedule a payment itself (eg. a weekly auto sweep into a savings account) it would be quite reasonable to give the user 24 hours or more to authorise the payment.

I'd hence be tempted to add a "requested_auth_req_id_expiry" (or perhaps something with a less clumsy name) parameter to the authentication request.

More information about the Openid-specs-mobile-profile mailing list