[PROPOSAL] authentication age
Recordon, David
drecordon at verisign.com
Sun Oct 1 07:33:17 UTC 2006
I like this, though think minutes would be granular enough. Just to clarify, since it took me reading it a few times...
Add an optional request parameter openid.auth_age which is a positive integer. This parameter allows the relying party to request that if the identity provider has not renewed the session with the user in the past X minutes, that it do so at this time. If left out of the request, it is assumed that a session of any age is acceptable for the transaction. If 0, the RP is requesting authentication be done on this request no matter the age of the session.
Assuming this be added, it would have to be a MUST in the spec to be useful.
--David
-----Original Message-----
From: specs-bounces at openid.net on behalf of Dick Hardt
Sent: Sat 9/30/2006 5:04 PM
To: specs at openid.net
Subject: [PROPOSAL] authentication age
Motivating Use Case:
----------------------------
Different RPs will require different amounts of certainty about the
user, and at times will have different requirements depending on what
the user is doing. Eg. from existing web applications today. There is
little concern when the user is getting personalized pages and a
relatively old cookie may be adequate but the app will require the
user to provide their password when changing their settings.
Proposed Implementation
-----------------------------------
New, optional parameter in the request, "openid.auth_age" where the
value is the number of seconds (minutes?) since the user last
provided credentials. If the it has been longer since then that the
IdP authenticated the user, then the IdP MUST authenticate the user
again. A value of zero (0) means that the IdP MUST prompt the user
for credentials.
Issues
--------
There is no way to force an IdP to authenticate the user, but a
"good" IdP implementation will follow the requests of the RP
_______________________________________________
specs mailing list
specs at openid.net
http://openid.net/mailman/listinfo/specs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20061001/b24e793e/attachment-0002.htm>
More information about the specs
mailing list