Auto logout? Request re-authentication from the server?
Simon Josefsson
simon at yubico.com
Wed Jul 2 17:29:42 UTC 2008
Martin Paljak <martin at paljak.pri.ee> writes:
> Hi Simon,
>
>
> I believe expires_in from
> http://openid.net/specs/openid-authentication-2_0.html#anchor20
> is the thing you're interested in?
Hi Martin. Ah, thanks for the pointer, I wasn't aware of that
parameter.
It isn't _exactly_ what I'm looking for -- I don't want to _force_ the
RP to re-authenticate. I want to let the RP know that by
re-authentication frequently, it can improve security. This matches how
all one-time-password systems operate.
Some RP's may be less security sensitive, and then it does not matter if
it continues without re-authentication. However, some RPs may want to
take advantage of re-authentication if it is useful.
Possibly the 'expires_in' is what I am looking for, if the 'MUST NOT' is
changed into a 'SHOULD NOT' and a note is added to say that sites with
low security needs can ignore a low expires_in value.
Maybe I should write a PAPE authentication profile for this. I'm trying
to find out if this is something people feel is generally useful,
though, which could argue for including it in the standard.
/Simon
More information about the specs
mailing list