[OpenID] PAPE Compliant OP
Joe Tele
pnwtele at yahoo.com
Thu Jun 25 05:12:03 UTC 2009
We've been tinkering as an RP for a while and are now looking at some of the PAPE functionality. I'm having trouble finding an OP that respects the max_auth_age PAPE parameter--or I don't understand what it is for.
When we send an OP a request with the max_auth_age = 5, for example, I thought the OP would check if the user had authenticated within the last 5 seconds and if not, require a full login. The OPs I tried this didn't challenge the user and instead used a cookie to verify them.
Yahoo, verisign, myopenid, all seem to ignore it, although myopenid returns an auth_time that makes it at least appear to be doing something.
Can somebody suggest an OP that is known to do the right thing? I am wondering if our library is broken, the OPs are off, or I don't understand what is really supposed to happen:
We send:
openid.ns.pape=http://specs.openid.net/extensions/pape/1.0
openid.pape.max_auth_age=1
...
Thanks
More information about the general
mailing list