[PROPOSAL] authentication age

Dick Hardt dick at sxip.com
Sat Sep 30 17:04:47 PDT 2006

Motivating Use Case:

Different RPs will require different amounts of certainty about the  
user, and at times will have different requirements depending on what  
the user is doing. Eg. from existing web applications today. There is  
little concern when the user is getting personalized pages and a  
relatively old cookie may be adequate but the app will require the  
user to provide their password when changing their settings.

Proposed Implementation

New, optional parameter in the request, "openid.auth_age" where the  
value is the number of seconds (minutes?) since the user last  
provided credentials. If the it has been longer since then that the  
IdP authenticated the user, then the IdP MUST authenticate the user  
again. A value of zero (0) means that the IdP MUST prompt the user  
for credentials.

There is no way to force an IdP to authenticate the user, but a  
"good" IdP implementation will follow the requests of the RP

More information about the specs mailing list