[PROPOSAL] authentication age
Dick Hardt
dick at sxip.com
Sat Sep 30 17:04:47 PDT 2006
Motivating Use Case:
----------------------------
Different RPs will require different amounts of certainty about the
user, and at times will have different requirements depending on what
the user is doing. Eg. from existing web applications today. There is
little concern when the user is getting personalized pages and a
relatively old cookie may be adequate but the app will require the
user to provide their password when changing their settings.
Proposed Implementation
-----------------------------------
New, optional parameter in the request, "openid.auth_age" where the
value is the number of seconds (minutes?) since the user last
provided credentials. If the it has been longer since then that the
IdP authenticated the user, then the IdP MUST authenticate the user
again. A value of zero (0) means that the IdP MUST prompt the user
for credentials.
Issues
--------
There is no way to force an IdP to authenticate the user, but a
"good" IdP implementation will follow the requests of the RP
More information about the specs
mailing list