Auto logout? Request re-authentication from the server?
Hans Granqvist
hans at granqvist.com
Wed Jul 2 18:22:44 UTC 2008
'expires_in' relates to the length of the RP->OP assoc, not the
length of the EU->RP session.
I don't think that param is usable for you, unless I completely
misunderstand what you're trying to achieve, which I think
is that the end-user has to occasionally re-authenticate?
Hans
On Wed, Jul 2, 2008 at 10:29 AM, Simon Josefsson <simon at yubico.com> wrote:
> Martin Paljak <martin at paljak.pri.ee> writes:
>
>> Hi Simon,
>>
>>
>> I believe expires_in from
>> http://openid.net/specs/openid-authentication-2_0.html#anchor20
>> is the thing you're interested in?
>
> Hi Martin. Ah, thanks for the pointer, I wasn't aware of that
> parameter.
>
> It isn't _exactly_ what I'm looking for -- I don't want to _force_ the
> RP to re-authenticate. I want to let the RP know that by
> re-authentication frequently, it can improve security. This matches how
> all one-time-password systems operate.
>
> Some RP's may be less security sensitive, and then it does not matter if
> it continues without re-authentication. However, some RPs may want to
> take advantage of re-authentication if it is useful.
>
> Possibly the 'expires_in' is what I am looking for, if the 'MUST NOT' is
> changed into a 'SHOULD NOT' and a note is added to say that sites with
> low security needs can ignore a low expires_in value.
>
> Maybe I should write a PAPE authentication profile for this. I'm trying
> to find out if this is something people feel is generally useful,
> though, which could argue for including it in the standard.
>
> /Simon
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
More information about the specs
mailing list