[OpenID] MyOpenID's PAPE implementation doesn't honour max_auth_age
John Bradley
ve7jtb at ve7jtb.com
Mon Oct 26 14:32:50 UTC 2009
Thanks Craig,
I will talk to them about it. max_auth_age has not been well
supported by OP's honestly none of PAPE has.
We require working PAPE including max_auth_age for the ICAM profile of
openID.
That has motivated a number of OP's to implement it.
MyOpenID has not been participating in the pilot so this hasn't gotten
much scrutiny.
At the end of the day without the IdP conforming to some known
profile, the PAPE assertions aren't worth much.
John B.
On 2009-10-26, at 12:20 AM, Craig Forster wrote:
>
> It appears that the MyOpenID OP's PAPE implementation doesn't honour
> the
> max_auth_age parameter. It correctly reports the authentication
> time of
> the user back to the RP, but doesn't prompt for re-authentication if
> this
> time is earlier than the RP requested.
>
> Is there a reason for this behaviour?
>
> ---
> craig forster | staff software engineer | ibm australia development
> labs
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2468 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091026/cafc7764/attachment.bin>
More information about the general
mailing list