<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">That is what I thought though this is perhaps slightly different if it is returned in the ID token. <div><br></div><div>If it can replace max_auth_age I am happy, but I am not quite understanding it.</div><div><br></div><div>John B.<br><div><div>On 2011-06-14, at 9:22 AM, Nat Sakimura wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">For the RP state, we have "state" as a parameter in OAuth 2.0, as far as I remember. <div><br></div><div>=nat<br><br><div class="gmail_quote">On Tue, Jun 14, 2011 at 9:05 AM, John Bradley <span dir="ltr"><<a href="mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div style="word-wrap:break-word">PAPE doesn't require synchronized clocks. I know Dirk was fixating on that at one point.<div>
<br></div><div>The request is in seconds.</div><div><br></div><div>The response is the time of the last authentication. </div><div>Getting a pape.auth_time in the response tells you the IdP honoured the request. The time itself is extra info.</div>
<div><br></div><div>In a lot of cases tracking the RP nonce will be more complicated. </div><div><br></div><div>I don't hate the proposal, or anything like that. </div><div><br></div><div>If the RP takes the nonce in the request, and puts it in the ID token, I don't see how that confirms that the IdP re prompted the user. </div>
<div>If the request is unsigned then the user could have removed the prompt=login from the request.</div><div><br></div><div>Is prompt= in the returned ID token as well?</div><div><br></div><div>I can see the RP nonce being useful potentially for other RP state info perhaps.</div>
<div>Perhaps nonce is not the correct name?</div><div><br></div><div>John B.</div><div class="im"><div><div><div>On 2011-06-13, at 6:53 PM, Breno de Medeiros wrote:</div><br><blockquote type="cite"><span style="border-collapse:separate;font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-size:medium"><span style="font-family:monospace"><blockquote type="cite">
<br>They discussed a nonce parameter<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"> John wasn't sure what they were trying to accomplish with<br></blockquote><blockquote type="cite">
this<br></blockquote><br>I think FB use case is to create a version of PAPE that doesn't<br>require synchronized clocks. One can send a nonce and prompt=login and<br>check the nonce to validate user was prompted. I found that<br>
interesting for discussion here.<br><br></span></span><br></blockquote></div><br></div></div></div><br>_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>Nat Sakimura (=nat)<br><a href="http://www.sakimura.org/en/">http://www.sakimura.org/en/</a><br><a href="http://twitter.com/_nat_en">http://twitter.com/_nat_en</a><br>
</div>
</blockquote></div><br></div></body></html>