OpenID Provider Authentication Policy Extension
Johnny Bufu
johnny at sxip.com
Fri Jun 29 02:31:02 UTC 2007
David,
On 22-Jun-07, at 9:46 AM, Recordon, David wrote:
> So please, check it out and let me know what you think...especially
> around the questions in the Editorial Comments section at the end.
Here are the issues that came up while I implemented PAPE in
openid4java:
5.1 Request Parameters
- Is preferred_auth_policies REQUIRED? Assume yes, but not clearly
spelled out.
- "the OP MUST authenticate the End User for this request."
What if the OP / user don't want to re-authenticate, and have reasons
to continue their session with the previous / old auth? (For example
user changed his mind at the OP about buying the book from amazon,
and declines the OP's request to re-authenticate).
- "The OP should realize that not adhering to the request for re-
authentication..." implies there is an alternative to the above
(other than breaking the protocol). Maybe the MUST above should be a
SHOULD?
- (max_)auth_age is defined as "numeric". Is there value for allowing
floating-point numbers here? Would be simpler to be an integer.
5.2 Response Parameters
- auth_age: What should the value be if the OP did not actively
authenticate the user for the current session? Suggesting "unknown"
as a special value for this.
- auth_age: Since the message may spend a (not-insignificant) time
after it's created (by the library)
before it's put on the wire
on the wire
while it's being processed by the RP
a timestamp value may be better suited here (rename it to auth_time
maybe?). This way the RP will be able to determine the auth_age at
any time (e.g. when it actually needs to perform the sensitive
operation). Could use the formating used for nonces (from RFC3339).
- nist_auth_level: "Numeric value" - probably was meant as integer
value.
Thanks,
Johnny
More information about the specs
mailing list