[Openid-specs-mobile-profile] Issue #136: "interval" and "slow_down" may not give the OP enough control (openid/mobile)
Joseph Heenan
issues-reply at bitbucket.org
Fri Dec 14 12:28:07 UTC 2018
New issue 136: "interval" and "slow_down" may not give the OP enough control
https://bitbucket.org/openid/mobile/issues/136/interval-and-slow_down-may-not-give-the-op
Joseph Heenan:
The current draft says:
> If the Client is registered to use the Poll mode, then the Client polls the token endpoint at reasonable interval, which MUST NOT be more frequent than the minimum interval provided by the OpenID Provider via the "interval" parameter (if provided).
Something more along the lines of "must leave at least this duration since it received the last successful response" may be better than "more frequent" and "minimum interval", and similarly for "slow_down".
My thinking is that if the OP is in a meltdown type situation where it is taking 20+ seconds to reply to a request, the current draft seems to allow:
If we start at T=0, a client polling every 5 seconds and an AS taking 20 seconds to reply - I think the current spec allows the client to poll again at T=5 even though it's not have the previous response. Even if client waited to poll at T=25, the AS tells the client to slow_down it could legitimately poll again at T=35. (I'm not sure that's a clear explanation, please ask if it's not clear what I'm getting at.)
More information about the Openid-specs-mobile-profile
mailing list