Add additional requirements/options for OPs and RPs regarding re-auth…#12
Open
gffletch wants to merge 4 commits intoopenid:mainfrom
Open
Add additional requirements/options for OPs and RPs regarding re-auth…#12gffletch wants to merge 4 commits intoopenid:mainfrom
gffletch wants to merge 4 commits intoopenid:mainfrom
Conversation
…entication Addresses issue #92 Added mandatory requirements to the OP requirements Outlined options for the RP in driving the desired behavior for re-authentication
| * MUST support `nonce` parameter values up to 64 characters in length, and MAY reject `nonce` values longer than 64 characters. | ||
| * MUST support the `max_age` parameter with a values representing the maximum number of seconds allowable since the user was authenticated by the OP. If the elapsed time since authentication is less than this value, the OP MAY choose to actively reauthenticate the user. If the elapsed time since authentication is greater than this value, the OP MUST actively reauthenticate the user. | ||
| * MUST support `prompt=login` where if specified, the OP MUST explicitly (re)authenticate the user using a user visible challenge. If the user is currently logged in as determined by the OP, then the OP MUST only re-authenticate that user. | ||
| * MUST support the `max_age` parameter with a values representing the maximum number of seconds allowable since the user was authenticated by the OP. If the elapsed time since authentication is less than the specified value OR the OP can silently authenticate the user and issue a new `auth_time` within the required `max_age`, then no user visible authentication is required. The OP MAY choose to explicitly (re)authenticate the user regardless. |
There was a problem hiding this comment.
did you mean 'value' instead of 'values'? Rest reads great
| * SHOULD NOT use `nonce` parameter values longer than 64 characters; | ||
| * SHOULD use `prompt=login` if the RP wants to ensure that the user is visibly challenged for (re)authentication | ||
| * SHOULD use the `max_age` parameter in the authentication request to specify the maximum allowable authentication age to the OP in seconds. The value of the `max_age` parameter MAY be determined based upon the business rules of the RP. | ||
| * SHOULD user `max_age` and `prompt=none` if the RP wants to ensure that the user is not visibly challenged for (re)authentication. |
There was a problem hiding this comment.
to match the prompt=login requirement above, suggest we change the order in this sentence to "SHOULD use prompt=none and max_age"
Note the typo right now user instead of use
aaronpk
reviewed
Sep 2, 2025
Addressed comments in the PR. Also a note that once we land on terminology, we may want to update this document.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…entication
Addresses issue #92
Added mandatory requirements to the OP requirements
Outlined options for the RP in driving the desired behavior for re-authentication