[Openid-specs-mobile-profile] Issue #144: clients may want to influence lifetime of auth_req_id (openid/mobile)
Joseph Heenan
issues-reply at bitbucket.org
Wed Dec 26 03:20:49 UTC 2018
New issue 144: clients may want to influence lifetime of auth_req_id
https://bitbucket.org/openid/mobile/issues/144/clients-may-want-to-influence-lifetime-of
Joseph Heenan:
currently it seems the AS alone is responsible for deciding on the expires_in value for auth_req_id.
Talking through possible use cases it seems like often the client is going to have a better idea on what a useful auth_req_id lifetime might be. For example, if the user is trying to make an immediate payment in a store, an auth_req_id expiry is likely to be single-digit minutes.
If the client is trying to schedule a payment itself (eg. a weekly auto sweep into a savings account) it would be quite reasonable to give the user 24 hours or more to authorise the payment.
I'd hence be tempted to add a "requested_auth_req_id_expiry" (or perhaps something with a less clumsy name) parameter to the authentication request.
More information about the Openid-specs-mobile-profile
mailing list