[security] PAPE Policy for RPs to force authentication without browser cookie
Eric Sachs
esachs at google.com
Tue Jul 7 19:43:10 UTC 2009
>> I believe case #2 can be addressed in the OpenID UI Extension, using a
special flag or mode that an RP can pass to the OP to indicate that
checkid_setup should be interactive, even if the user had previously
approved automatic login for the RPGood point.
On Tue, Jul 7, 2009 at 12:34 PM, Allen Tom <atom at yahoo-inc.com> wrote:
> Eric Sachs wrote:
>
>>
>> The higher priority requests we get in this area are to support things
>> like (1) forcing the user to change their password (such as in cases where
>> the RP is pretty sure the user's credentials have been stolen) and (2)
>> forcing the user to re-confirm they want their identity shared with the RP
>> even if previously asked for this to be done automatically.
>>
>> I believe case #2 can be addressed in the OpenID UI Extension, using a
> special flag or mode that an RP can pass to the OP to indicate that
> checkid_setup should be interactive, even if the user had previously
> approved automatic login for the RP.
>
> Allen
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-user-experience/attachments/20090707/7917049e/attachment.htm>
More information about the user-experience
mailing list