[Openid-specs-ab] Spec call notes 13-Jun-11
Nat Sakimura
sakimura at gmail.com
Tue Jun 14 13:22:34 UTC 2011
For the RP state, we have "state" as a parameter in OAuth 2.0, as far as I
remember.
=nat
On Tue, Jun 14, 2011 at 9:05 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:
> PAPE doesn't require synchronized clocks. I know Dirk was fixating on
> that at one point.
>
> The request is in seconds.
>
> The response is the time of the last authentication.
> Getting a pape.auth_time in the response tells you the IdP honoured the
> request. The time itself is extra info.
>
> In a lot of cases tracking the RP nonce will be more complicated.
>
> I don't hate the proposal, or anything like that.
>
> If the RP takes the nonce in the request, and puts it in the ID token, I
> don't see how that confirms that the IdP re prompted the user.
> If the request is unsigned then the user could have removed the
> prompt=login from the request.
>
> Is prompt= in the returned ID token as well?
>
> I can see the RP nonce being useful potentially for other RP state info
> perhaps.
> Perhaps nonce is not the correct name?
>
> John B.
> On 2011-06-13, at 6:53 PM, Breno de Medeiros wrote:
>
>
> They discussed a nonce parameter
>
>
> John wasn't sure what they were trying to accomplish with
>
> this
>
>
> I think FB use case is to create a version of PAPE that doesn't
> require synchronized clocks. One can send a nonce and prompt=login and
> check the nonce to validate user was prompted. I found that
> interesting for discussion here.
>
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
--
Nat Sakimura (=nat)
http://www.sakimura.org/en/
http://twitter.com/_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110614/35d064d2/attachment.html>
More information about the Openid-specs-ab
mailing list