[Openid-specs-ab] Spec call notes 13-Jun-11

John Bradley ve7jtb at ve7jtb.com
Tue Jun 14 14:26:45 UTC 2011 

That is what I thought though this is perhaps slightly different if it is returned in the ID token.  

If it can replace max_auth_age I am happy, but I am not quite understanding it.

John B.
On 2011-06-14, at 9:22 AM, Nat Sakimura wrote:

> For the RP state, we have "state" as a parameter in OAuth 2.0, as far as I remember. 
> 
> =nat
> 
> On Tue, Jun 14, 2011 at 9:05 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:
> PAPE doesn't require synchronized clocks.    I know Dirk was fixating on that at one point.
> 
> The request is in seconds.
> 
> The response is the time of the last authentication.  
> Getting a pape.auth_time in the response tells you the IdP honoured the request.   The time itself is extra info.
> 
> In a lot of cases tracking the RP nonce will be more complicated.  
> 
> I don't hate the proposal, or anything like that.   
> 
> If the RP takes the nonce in the request, and puts it in the ID token, I don't see how that confirms that the IdP re prompted the user.  
> If the request is unsigned then the user could have removed the prompt=login from the request.
> 
> Is prompt= in the returned ID token as well?
> 
> I can see the RP nonce being useful potentially for other RP state info perhaps.
> Perhaps nonce is not the correct name?
> 
> John B.
> On 2011-06-13, at 6:53 PM, Breno de Medeiros wrote:
> 
>>> 
>>> They discussed a nonce parameter
>>> 
>>>                 John wasn't sure what they were trying to accomplish with
>>> this
>> 
>> I think FB use case is to create a version of PAPE that doesn't
>> require synchronized clocks. One can send a nonce and prompt=login and
>> check the nonce to validate user was prompted. I found that
>> interesting for discussion here.
>> 
>> 
> 
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> 
> 
> 
> 
> -- 
> Nat Sakimura (=nat)
> http://www.sakimura.org/en/
> http://twitter.com/_nat_en

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110614/da452cf5/attachment.html>

More information about the Openid-specs-ab mailing list