[security] PAPE Policy for RPs to force authentication without browser cookie

SitG Admin sysadmin at shadowsinthegarden.com
Wed Jul 1 22:00:54 UTC 2009 

At 10:43 PM -0700 6/30/09, Dick Hardt wrote:
>So if the user has authenticated 55 seconds ago, but take 6 seconds 
>to click the continue button, then the user will be presented with a 
>login screen after clicking the continue button which tells them 
>they will be sent to the RP. Jarring user experience. I would 
>suggest we think this through.

Countdown button showing the remaining seconds to click before the 
option is grayed-out?

At 11:04 PM -0700 6/30/09, Allen Tom wrote:
>- OPs which use passwords to authenticate the user should re-prompt 
>for the password (it's OK to pre-fill the userid in the Login form)

Some browsers (or extensions thereof) will also pre-fill the password 
field. Out of scope for OpenID, but nice to be aware of. (I try to 
break this behavior by adding random characters to the input field's 
name each time it's generated, and then only looking at the first 
part of its name to identify it. I suspect user appreciation for this 
"feature" is not high.)

>- Ideally, the user's IP address should not change between the time 
>the user authenticated and when the assertion is generated. (this is 
>less important, but nice to have)

OpenID presumes a certain network architecture, then? OP's won't be 
reachable through proxies or any weirdness that guarantees the admins 
they only need to expect connections from an internal IP address? 
Users won't be connecting through a mixer or any other weirdness that 
assigns a different external IP address to every outgoing connection?

At 11:08 PM -0700 6/30/09, Dirk Balfanz wrote:
>Let's say Amazon decides that X=30 seconds. If Amazon really 
>believes the statement above with X=30 seconds, then there is no 
>need for them to ask for reauthentication in every case. They should 
>only ask for reauthentication if the session is older than 30 
>seconds. In other words, the only sensible thing for Amazon to send 
>to the OP is max_auth_age=30, not max_auth_age=0, or some new 
>special PAPE policy.

What if Amazon wants X=30 seconds for some cases and X=10 seconds for others?

>Now, what should the OP return? The OP abides by Amazon's wishes and 
>re-authenticates the user if the user's session is older than 30 
>seconds. But then the user gets distracted or whatnot, so when the 
>user actually returns to Amazon, the login session at this point is 
>2 minutes old. Amazon needs to know this because their policy is to 
>only allow sessions that are no more than 30 seconds old. So the OP 
>actually needs to tell the RP the age of the user's login session.

I don't think so. It seems like the RP only needs a TRUE/FALSE statement.

>To summarize, knowing that the OP met the RP's policy 
>(reauthenticated the user) _doesn't_ buy the RP anything (the user 
>session could still be too old by the time the user returns to the 
>OP).

I think I understand now: the OP would be providing a direct link to 
the RP, which the user would click on after they'd been 
authenticated. But it's possible for the OP to link back to itself, 
providing an immediate redirect as per the next link in an OpenID 
chain - but only *if* the user were still meeting that policy.

-Shade

More information about the security mailing list