Auto logout? Request re-authentication from the server?

Simon Josefsson simon at yubico.com
Thu Jul 3 09:07:39 UTC 2008


"Hans Granqvist" <hans at granqvist.com> writes:

> 'expires_in' relates to the length of the RP->OP assoc, not the
> length of the EU->RP session.

Good point.  I couldn't see the forest for the trees.

> I don't think that param is usable for you, unless I completely
> misunderstand what you're trying to achieve, which I think
> is that the end-user has to occasionally re-authenticate?

Right.  This param doesn't solve my use-case.

Thanks,
/Simon

>
> Hans
>
> On Wed, Jul 2, 2008 at 10:29 AM, Simon Josefsson <simon at yubico.com> wrote:
>> Martin Paljak <martin at paljak.pri.ee> writes:
>>
>>> Hi Simon,
>>>
>>>
>>> I believe expires_in from
>>> http://openid.net/specs/openid-authentication-2_0.html#anchor20
>>>  is the thing you're interested in?
>>
>> Hi Martin.  Ah, thanks for the pointer, I wasn't aware of that
>> parameter.
>>
>> It isn't _exactly_ what I'm looking for -- I don't want to _force_ the
>> RP to re-authenticate.  I want to let the RP know that by
>> re-authentication frequently, it can improve security.  This matches how
>> all one-time-password systems operate.
>>
>> Some RP's may be less security sensitive, and then it does not matter if
>> it continues without re-authentication.  However, some RPs may want to
>> take advantage of re-authentication if it is useful.
>>
>> Possibly the 'expires_in' is what I am looking for, if the 'MUST NOT' is
>> changed into a 'SHOULD NOT' and a note is added to say that sites with
>> low security needs can ignore a low expires_in value.
>>
>> Maybe I should write a PAPE authentication profile for this.  I'm trying
>> to find out if this is something people feel is generally useful,
>> though, which could argue for including it in the standard.
>>
>> /Simon
>> _______________________________________________
>> specs mailing list
>> specs at openid.net
>> http://openid.net/mailman/listinfo/specs
>>



More information about the specs mailing list