[OpenID] Durability of authorized sessions
Martin Atkins
mart at degeneration.co.uk
Wed Nov 28 18:38:32 UTC 2007
Peter Williams wrote:
>
>
> In SAML2, an RP such as RP2 can provide a second (PAPE-like) field requiring that the OP should NOT involve the user interactively - in formulating its claimset. That is... it is really saying: use an OP-local-cookie issued earlier, where reasonable. If its not reasonable to still rely on such a cookie, the OP should respond with - unable to satisfy RP requirements: no claims available. The RP can then invoke the flow again, lessening the "no-interruption" restriction and thereby allowing the OP to present an interactive logon experience...featuring password, or bio, or 2-factor or whatever X grade of user auth satisfes the RP2's PAPE requirement. If RP1 comes back again to the OP, with a PAPE requirement that is higher than X, then the OP MUST interupt the pageflow and satisfy the requirement at the higher standard (assuming it supports it).
>
As far as a non-interactive handshake goes, OpenID already supports such
a thing. Jyte is an example of a site which uses it: if you return to
Jyte and have a cookie which says you are http://joe.example.com/, it'll
attempt a non-interactive handshake with your OP and attempt to
automatically log you in. If this fails[1], you need to click the login
link as normal.
(Or something like that, at least. It's been a while since I looked into
it.)
This is indicated by setting the openid.mode value to
"checkid_immediate". The OP can optionally return a URL to send the user
to in order to authorize the transaction, but I don't think that this is
used much in practice.
-----------------------
[1] Failure could be due to the "no session cookie" case or it could be
due to the OP requiring the user to approve the RP before proceeding.
More information about the general
mailing list