Eric Sachs wrote:
The higher priority requests we get in this area are to support things
like (1) forcing the user to change their password (such as in cases
where the RP is pretty sure the user's credentials have been stolen)
and (2) forcing the user to re-confirm they want their identity shared
with the RP even if previously asked for this to be done automatically.
I believe case #2 can be addressed in the OpenID UI Extension, using a
special flag or mode that an RP can pass to the OP to indicate that
checkid_setup should be interactive, even if the user had previously
approved automatic login for the RP.
Allen
_______________________________________________
security mailing list
[email protected]
http://openid.net/mailman/listinfo/security
