<head>
<style>
code {
font-family: SFMono-Regular, Menlo, Consolas, "PT Mono", "Liberation Mono", Courier, monospace;
}
p {
min-height: 19.5px; /* Set a minimum height so empty p tags still take up vertical space; matches gmail empty line height */
border-radius: 0px;
}
ol.custom-editor-ordered-list-class {
padding-inline-start: 0px;
margin: 1px 0px;
padding-inline-start: 24px;
min-height: calc(1.5em + 6px);
}
ul.custom-editor-bullet-list-class {
padding-inline-start: 0px;
margin: 1px 0px;
padding-inline-start: 24px;
min-height: calc(1.5em + 6px);
}
pre.custom-editor-code-block-class {
flex-shrink: 1;
text-align: left;
font-family: SFMono-Regular, Menlo, Consolas, "PT Mono", "Liberation Mono", Courier, monospace;
font-size: 13.6px;
tab-size: 2;
padding: 34px 16px 32px 32px;
min-height: 1em;
white-space: pre;
border-radius: 4px;
text-align: left;
position: relative;
background: rgba(135,131,120,.15);
min-width: 0px;
width: 100%;
box-sizing: border-box;
}
hr.custom-editor-divider-class {
border: none;
border-top: 1px solid rgba(135,131,120,.15);
width: 100%;
}
blockquote {
border-left: 3px solid currentcolor;
padding-inline-start: 14px;
margin: 0px;
margin-top: 4px;
font-size: 1em;
padding-right: 2px;
padding-top: 3px;
padding-bottom: 3px;
padding-left: 14px;
}
blockquote.light {
border-left-color: rgba(55, 53, 47, 0.16);
}
blockquote.dark {
border-left-color: rgba(255, 255, 255, 0.13);
}
aside {
display: flex;
width: 100%;
max-width: 100%;
box-sizing: border-box;
border-radius: 4px;
background: rgba(135,131,120,.15);
padding: 16px 16px 16px 12px;
white-space: pre-wrap;
word-break: break-word;
}
.callout-emoji {
user-select: none;
display: flex;
align-items: center;
justify-content: center;
height: 24px;
width: 24px;
font-size: 21.6px;
box-sizing: border-box;
margin-top: -3px;
border-radius: 0.25em;
flex-shrink: 0;
flex-grow: 0;
}
.callout-emoji > img {
height: 18px;
width: 18px;
margin-top: auto;
margin-bottom: auto;
}
.callout-content {
margin-left: 8px;
margin-top: auto;
display: table;
width: 100%;
}
.custom-editor-task-list-class {
list-style: none;
padding: 0;
margin: 0;
}
.custom-editor-task-item-class {
display: flex;
align-items: center;
}
.custom-editor-task-item-class > label {
margin-right: 0.5rem;
cursor: pointer;
user-select: none;
display: flex;
align-items: center;
}
.custom-editor-task-item-class > label > input[type="checkbox"] {
margin-right: 0.5rem;
}
.custom-editor-task-item-checked-class > * {
text-decoration: line-through rgba(55, 53, 47, 0.42);
color: rgba(55, 53, 47, 0.65);
}
.custom-editor-rendered-mention {
opacity: 0.6;
color: unset;
}
.custom-editor-rendered-mention > a {
color: unset;
}
.custom-editor-rendered-mention-page {
font-weight: 500;
max-width: 200px;
}
.custom-editor-rendered-mention-page > a {
color: unset;
}
.custom-editor-rendered-mention-page-link {
border-bottom: 0.05em solid rgba(95, 94, 91, 1);
text-decoration: none !important;
}
pre {
flex-shrink: 1;
text-align: left;
font-family: SFMono-Regular, Menlo, Consolas, "PT Mono", "Liberation Mono", Courier, monospace;
font-size: 13.6px;
tab-size: 2;
padding: 34px 16px 32px 32px;
min-height: 1em;
white-space: pre;
border-radius: 4px;
text-align: left;
position: relative;
background: rgb(247, 246, 243);
min-width: 0px;
width: 100%;
box-sizing: border-box;
text-wrap: wrap;
}
a.custom-editor-link-class {
color: rgba(120, 119, 116, 1);
cursor: pointer;
text-decoration-thickness: 0.05em;
text-underline-offset: 3px;
}
</style>
<style>
* {
-webkit-tap-highlight-color: rgba(0, 0, 0, 0);
-webkit-font-smoothing: antialiased;
line-height: 1.3;
font-family: ui-sans-serif, -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, "Apple Color Emoji", Arial, sans-serif, "Segoe UI Emoji", "Segoe UI Symbol";
}
p {
margin: 0px 0px 0px 0px !important;
}
</style>
</head>
<body>
<p dir="auto">TL;DR; - NIST FAL2 requires the RP to be able to specify a maximum age since last authentication in its request to the OP. FAL2 also requires the OP to communicate the timestamp of the last authentication event to the RP. These controls exist to enable the OP and RP to each enforce their own business rules around authentication time and need to be considered for IPSIE.</p><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,"system-ui","Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;color:rgb(29,27,22);font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:-0.15px;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;white-space:normal;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;margin:0px!important"></p><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,"system-ui","Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;color:rgb(29,27,22);font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:-0.15px;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;white-space:normal;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;margin:0px!important">On today’s IPSIE call we discussed the two issues (#89, #90) and a related PR which attempt to address these concerns. Following a good discussion (located here until the minutes are migrated to the IPSIE Wiki), we agreed to take this discussion to the mailing list. In a nutshell, the discussion comes down to whether the OP or RP should control whether the authentication event has occurred recently enough to be acceptable.</p><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,"system-ui","Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;color:rgb(29,27,22);font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:-0.15px;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;white-space:normal;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;margin:0px!important"></p><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,"system-ui","Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;color:rgb(29,27,22);font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:-0.15px;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;white-space:normal;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;margin:0px!important">After listening to the discussion this morning, my perspective is that both the OP and RP have an interest in ensuring recency of authentication.</p><ul class="custom-editor-bullet-list-class" dir="auto"><li dir="auto"><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;margin:0px!important">The OP’s interest is to ensure that authentication has occurred with sufficient recency to allow another federated authentication event to be processed. The OP is, absent a signal from the RP, unaware of the RP’s recency requirements. Enterprises may choose to enforce this rule centrally at the OP.</p></li><li dir="auto"><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;margin:0px!important">The RPs interest is in protecting the users and the RP’s brand. The RP may not trust that the IdP has been configured in a sufficiently secure manner and wants to enforce authentication controls to protect itself.</p></li></ul><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,"system-ui","Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;color:rgb(29,27,22);font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:-0.15px;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;white-space:normal;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;margin:0px!important"></p><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,"system-ui","Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;color:rgb(29,27,22);font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:-0.15px;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;white-space:normal;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;margin:0px!important">In order to ensure both the OP and RP’s concerns are represented, controls can be established, and the controls do not reduce interop, I have pushed a PR to codify the requirements for the parameter and claim. The PR makes three changes:</p><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,"system-ui","Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;color:rgb(29,27,22);font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:-0.15px;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;white-space:normal;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;margin:0px!important"></p><ul class="custom-editor-bullet-list-class" dir="auto"><li dir="auto"><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;margin:0px!important">First, the following lines have been added as a requirement for OPs issuing ID tokens:</p><ul class="custom-editor-bullet-list-class" dir="auto"><li dir="auto"><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;margin:0px!important">MUST contain the<code class="custom-editor-code-class">auth_time</code>claim to describe when end user authentication last occurred (see Note 4);</p></li><li dir="auto"><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;margin:0px!important">Note 4: This claim is required to satisfy the requirements in Section 4.7 of [NIST.FAL].</p></li></ul></li><li dir="auto"><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;margin:0px!important">Second, the OpenID providers authorization code flow has been updated with the following requirements:</p><ul class="custom-editor-bullet-list-class" dir="auto"><li dir="auto"><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;margin:0px!important">MUST support the <code class="custom-editor-code-class">max_age</code>parameter with a values representing the maximum number of seconds allowable since the user was authenticated by the OP. If the elapsed time since authentication is less than this value, the OP MAY choose to actively reauthenticate the user. If the elapsed time since authentication is greater than this value, the OP MUST actively reauthenticate the user.</p></li></ul></li><li dir="auto"><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;margin:0px!important">Third, the RP must send the max_age as a parameter:</p><ul class="custom-editor-bullet-list-class" dir="auto"><li dir="auto"><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;margin:0px!important">MUST use the <code class="custom-editor-code-class">max_age</code> parameter in the authentication request to specify the maximum allowable authentication age to the OP in seconds. The <code class="custom-editor-code-class">max_age</code> parameter value MAY be determined based upon the business rules of the RP.</p><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;margin:0px!important"></p></li></ul></li></ul><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,"system-ui","Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;color:rgb(29,27,22);font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:-0.15px;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;white-space:normal;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;margin:0px!important">I believe that this balances the concerns of both OPs and RPs, does not introduce any interop concerns, and allows both the RP and OP an opportunity to control the recency of an authentication event.</p><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,"system-ui","Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;color:rgb(29,27,22);font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:-0.15px;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;white-space:normal;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;margin:0px!important"></p><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,"system-ui","Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;color:rgb(29,27,22);font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:-0.15px;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;white-space:normal;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;margin:0px!important">I appreciate any additional comments or feedback on the issues and PR ahead of next week’s call. Ideally we’ll be able to come to rough consensus ahead of the call, allowing the WG to move forward and close these issues soon.</p><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,"system-ui","Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;color:rgb(29,27,22);font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:-0.15px;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;white-space:normal;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;margin:0px!important"></p><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,"system-ui","Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;color:rgb(29,27,22);font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:-0.15px;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;white-space:normal;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;margin:0px!important">Thanks,</p><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,"system-ui","Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;color:rgb(29,27,22);font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:-0.15px;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;white-space:normal;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;margin:0px!important">-dhs</p><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,"system-ui","Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;color:rgb(29,27,22);font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:-0.15px;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;white-space:normal;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;margin:0px!important"></p><div class="signature"><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;margin:0px!important">--</p><div dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol""><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;margin:0px!important">Dean H. Saxe</p></div><div dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol""><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;margin:0px!important"><a href="mailto:dean@thesax.es">dean@thesax.es</a></p></div></div>
</body>