[security] PAPE Policy for RPs to force authentication without browser cookie

Nate Klingenstein ndk at internet2.edu
Wed Jul 1 05:17:39 UTC 2009 

Allen,

> The PAPE Extension seems to be the right way to implement this  
> functionality in OpenID, and I believe that the authors of the PAPE  
> spec intended RPs to be able to specify openid.pape.max_auth_age=0  
> in the request to ask the OP to authenticate the user without  
> relying on browser cookies. In the case where the user is already  
> authenticated at the OP (using cookies), the expectation is that the  
> OP re-authenticates the user before returning a positive assertion  
> to the RP. In the most common case, where the user authenticates  
> with a password, the OP is expected to verify the user's password  
> before returning the assertion to the RP.

This could be clearer in the spec, but given the "zero or more"  
verbiage, I'd agree with your interpretation.

> For instance, what if the RP specified max_auth_age=<1 minute>?  
> Sometimes users take a few minutes to complete the OpenID sign in  
> flow (they might get distracted), and although the user may have  
> entered their password immediately after being redirected to the OP,  
> the user may have taken more than a minute to navigate through the  
> OP's approval screen, before clicking on the button to return back  
> to the RP.

Isn't it the OP that is obliged to perform the check?  It would be  
performed immediately when the user presents the message, I'd imagine,  
since it's determining how to handle the request.

It wouldn't matter if they dally at the OP if the RP weren't likely to  
complain about the auth_time on the user's arrival, which is a  
separate matter(and not mandated by spec from what I can tell).  But  
some check probably needs to be explicitly performed by the RP on the  
return leg until authentication requests can be signed.  Sigh.

Either way, the RP would only be sabotaging its own user base here, so  
this falls more into the category of recommendations or best  
practices, in my opinion.

The SHOULD there reads strangely to, though.

> In order to provide a standard "force authentication" interface, I  
> propose that either we define a new PAPE policy, or we clearly  
> define max_auth_age=0 as a special value.

Having seen other working group applications and spec revisions move a  
little gradually, I feel compelled to first ask: how painful are these  
options?

> comments?

Yes.  Signed authentication requests would be nice and limit the  
"trust, but verify" the RP needs to do -- that is to say, limit the  
amount of private data the OP needs to expose.

Take care,
Nate.

More information about the security mailing list