[Openid-specs-ab] "auth_time" and "acr" half-used in Basic and Implicit
Mike Jones
Michael.Jones at microsoft.com
Fri Jan 25 02:14:48 UTC 2013
Basic and Implicit both contain this text in the ID Token Validation section:
If the acr Claim was requested, the Client SHOULD check that the asserted Claim Value is appropriate. The meaning and processing of acr Claim Values is out of scope for this specification.
If the auth_time Claim was requested, the Client SHOULD check the value and request re-authentication if it determines too much time has elapsed since the last user authentication.
The problem with that is that the "If" clauses can never be true in these specs, because these claims can only be requested with an OpenID Request Object. Therefore, I believe that we should delete all the text about "acr" and "auth_time" from these specs.
People wanting to use these (more advanced) features can use Standard. Any disagreement?
-- Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130125/ba0e7890/attachment.html>
More information about the Openid-specs-ab
mailing list