[Openid-specs-ab] Issue #134: Make it a warning when the auth_time value resulting from a max_age request is not in the expected range (openid/certification)
torsten at lodderstedt.net
torsten at lodderstedt.net
Tue Apr 7 02:23:12 UTC 2015
Hi Mike,
I think this changed behavior of the test suite needs also be reflected
in the respective text of the OpenID Connect Core spec.
Right now it says:
max_age
OPTIONAL. Maximum Authentication Age. ... the OP MUST attempt to
actively re-authenticate the End-User. ...
meaning the OP must re-authenticate the user, which in turn also means
the auth_time will be in the time range the RP expected it.
I think it should now read: ... the OP MAY/SHOULD attempt to actively
re-authenticate the End-User. ...
kind regards,
Torsten.
Am 27.03.2015 13:38, schrieb Michael Jones:
> New issue 134: Make it a warning when the auth_time value resulting
> from a max_age request is not in the expected range
> https://bitbucket.org/openid/certification/issue/134/make-it-a-warning-when-the-auth_time-value
>
> Michael Jones:
>
> Please change it from being an error to a warning when the auth_time
> value resulting from a max_age request is not in the expected range.
> Also, if we're doing anything in the max_age=1 test to detect whether
> a reauthentication occurred, please make the lack of a
> reauthentication a warning condition, rather than an error.
>
> It still will be an error if no auth_time claim is present in the ID
> Token when max_age is used.
>
> This is per the conversation with Google documented in the thread
> [Openid-specs-ab] Conformance and Max Auth Age.
>
> Responsible: Rohe
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
More information about the Openid-specs-ab
mailing list