Allen,
The PAPE Extension seems to be the right way to implement this functionality in OpenID, and I believe that the authors of the PAPE spec intended RPs to be able to specify openid.pape.max_auth_age=0 in the request to ask the OP to authenticate the user without relying on browser cookies. In the case where the user is already authenticated at the OP (using cookies), the expectation is that the OP re-authenticates the user before returning a positive assertion to the RP. In the most common case, where the user authenticates with a password, the OP is expected to verify the user's password before returning the assertion to the RP.
This could be clearer in the spec, but given the "zero or more" verbiage, I'd agree with your interpretation.
For instance, what if the RP specified max_auth_age=<1 minute>? Sometimes users take a few minutes to complete the OpenID sign in flow (they might get distracted), and although the user may have entered their password immediately after being redirected to the OP, the user may have taken more than a minute to navigate through the OP's approval screen, before clicking on the button to return back to the RP.
Isn't it the OP that is obliged to perform the check? It would be performed immediately when the user presents the message, I'd imagine, since it's determining how to handle the request.
It wouldn't matter if they dally at the OP if the RP weren't likely to complain about the auth_time on the user's arrival, which is a separate matter(and not mandated by spec from what I can tell). But some check probably needs to be explicitly performed by the RP on the return leg until authentication requests can be signed. Sigh.
Either way, the RP would only be sabotaging its own user base here, so this falls more into the category of recommendations or best practices, in my opinion.
The SHOULD there reads strangely to, though.
In order to provide a standard "force authentication" interface, I propose that either we define a new PAPE policy, or we clearly define max_auth_age=0 as a special value.
Having seen other working group applications and spec revisions move a little gradually, I feel compelled to first ask: how painful are these options?
comments?
Yes. Signed authentication requests would be nice and limit the "trust, but verify" the RP needs to do -- that is to say, limit the amount of private data the OP needs to expose.
Take care, Nate. _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
