[security] PAPE Policy for RPs to force authentication without browser cookie

Allen Tom atom at yahoo-inc.com
Tue Jul 7 19:34:36 UTC 2009


Eric Sachs wrote:
>
> The higher priority requests we get in this area are to support things 
> like (1) forcing the user to change their password (such as in cases 
> where the RP is pretty sure the user's credentials have been stolen) 
> and (2) forcing the user to re-confirm they want their identity shared 
> with the RP even if previously asked for this to be done automatically.
>
I believe case #2 can be addressed in the OpenID UI Extension, using a 
special flag or mode that an RP can pass to the OP to indicate that 
checkid_setup should be interactive, even if the user had previously 
approved automatic login for the RP.

Allen




More information about the user-experience mailing list