[Openid-specs-ab] Issue #993: How to treat a zero max_age request parameter? (openid/connect)
Vladimir Dzhuvinov
issues-reply at bitbucket.org
Mon May 9 09:49:45 UTC 2016
New issue 993: How to treat a zero max_age request parameter?
https://bitbucket.org/openid/connect/issues/993/how-to-treat-a-zero-max_age-request
Vladimir Dzhuvinov:
The core spec is not clear how an OP must treat an OpenID authentication request with `max_age=0`, and this question was raised by a developer:
1. Leave it up to the OP to decide whether the end-user is to be (re)authenticated (same as max_age omitted)?
2. Treat it as a prompt=login request?
OpenID PAPE also appears ambiguous on this. Is there an established practise when max_age=0?
Vladimir
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160509/63129c76/attachment.html>
More information about the Openid-specs-ab
mailing list