[security] PAPE Policy for RPs to force authentication without browser cookie

Allen Tom atom at yahoo-inc.com
Wed Jul 1 05:32:17 UTC 2009 

Hi Nate -

Consider the scenario where the RP specified max_auth_age=1minute in the 
request, and after being redirected to the OP, the user enters their 
password, then sees the OP's approval screen and decides to take a 10 
minute break before clicking the "continue" button.

Should the OP should re-prompt the user for the password again before 
returning the assertion to the RP because the RP requested that the 
password be verified within 1 minute of returning the assertion?

I believe that you said that the OP should re-verify the user's password 
in this case, which makes plenty of sense.

Now getting back to the original case, where the RP used the magic 
max_auth_age=0 value. Unless there is zero network latency, and the OP 
does not have a separate approval screen, it is impossible for the OP to 
satisfy this requirement.

That's why I was suggesting that we just define max_auth_age=0 as a 
special case, and clearly define what is expected for this case.

Thanks
Allen





Nate Klingenstein wrote:
>
>> For instance, what if the RP specified max_auth_age=<1 minute>? 
>> Sometimes users take a few minutes to complete the OpenID sign in 
>> flow (they might get distracted), and although the user may have 
>> entered their password immediately after being redirected to the OP, 
>> the user may have taken more than a minute to navigate through the 
>> OP's approval screen, before clicking on the button to return back to 
>> the RP.
>
> Isn't it the OP that is obliged to perform the check?  It would be 
> performed immediately when the user presents the message, I'd imagine, 
> since it's determining how to handle the request.
>






> It wouldn't matter if they dally at the OP if the RP weren't likely to 
> complain about the auth_time on the user's arrival, which is a 
> separate matter(and not mandated by spec from what I can tell).  But 
> some check probably needs to be explicitly performed by the RP on the 
> return leg until authentication requests can be signed.  Sigh.
>
> Either way, the RP would only be sabotaging its own user base here, so 
> this falls more into the category of recommendations or best 
> practices, in my opinion.
>
> The SHOULD there reads strangely to, though.
>
>> In order to provide a standard "force authentication" interface, I 
>> propose that either we define a new PAPE policy, or we clearly define 
>> max_auth_age=0 as a special value.
>
> Having seen other working group applications and spec revisions move a 
> little gradually, I feel compelled to first ask: how painful are these 
> options?
>
>> comments?
>
> Yes.  Signed authentication requests would be nice and limit the 
> "trust, but verify" the RP needs to do -- that is to say, limit the 
> amount of private data the OP needs to expose.
>
> Take care,
> Nate.

More information about the security mailing list