[Openid-specs-ab] Issue #134: Make it a warning when the auth_time value resulting from a max_age request is not in the expected range (openid/certification)
Michael Jones
issues-reply at bitbucket.org
Fri Mar 27 20:38:24 UTC 2015
New issue 134: Make it a warning when the auth_time value resulting from a max_age request is not in the expected range
https://bitbucket.org/openid/certification/issue/134/make-it-a-warning-when-the-auth_time-value
Michael Jones:
Please change it from being an error to a warning when the auth_time value resulting from a max_age request is not in the expected range. Also, if we're doing anything in the max_age=1 test to detect whether a reauthentication occurred, please make the lack of a reauthentication a warning condition, rather than an error.
It still will be an error if no auth_time claim is present in the ID Token when max_age is used.
This is per the conversation with Google documented in the thread [Openid-specs-ab] Conformance and Max Auth Age.
Responsible: Rohe
More information about the Openid-specs-ab
mailing list