[security] PAPE Policy for RPs to force authentication without browser cookie
Allen Tom
atom at yahoo-inc.com
Tue Jul 7 19:34:36 UTC 2009
Eric Sachs wrote:
>
> The higher priority requests we get in this area are to support things
> like (1) forcing the user to change their password (such as in cases
> where the RP is pretty sure the user's credentials have been stolen)
> and (2) forcing the user to re-confirm they want their identity shared
> with the RP even if previously asked for this to be done automatically.
>
I believe case #2 can be addressed in the OpenID UI Extension, using a
special flag or mode that an RP can pass to the OP to indicate that
checkid_setup should be interactive, even if the user had previously
approved automatic login for the RP.
Allen
More information about the user-experience
mailing list