- edited description
Parsing max_age parameter
- Allows negative values while spec states:
OpenID Connect Core: The max_age request parameter corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] max_auth_age request parameter ...
OpenID PAPE: penid.pape.max_auth_age .... Value: Integer value greater than or equal to zero in seconds.
- There is no difference between 0 value and missing that value in request, although spec is not fully clear here (e.g. how to treat 0 - looks like same as prompt=login), I guess it allows different behavior:
OpenID Core:
Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP.
OpenID PAPE:
If the End User has not actively authenticated to the OP within the number of seconds specified in a manner fitting the requested policies, the OP SHOULD authenticate the End User for this request using the requested policies.
OpenID PAPE:
If this parameter is absent from the request, the OP should authenticate the user at its own discretion.
Comments (8)
-
reporter -
We'll update the code so that negative max_age values are not allowed, and on parsing an auth request they will produce an
invalid_request
error.As for the treatment of zero, this seems ambiguous. Should be treated as ignore, or prompt=login? We'll raise the question with the OIDC WG. Stay tuned.
-
That's a good catch! Posted the question to the OIDC spec bug tracker, it should also appear on the WG mailing list:
https://bitbucket.org/openid/connect/issues/993/how-to-treat-a-zero-max_age-request
-
Still no feedback from the OIDC WG.
-
Good news, we have a resolution from the WG:
https://bitbucket.org/openid/connect/issues/993/how-to-treat-a-zero-max_age-request
-
- changed status to open
-
- changed status to resolved
Updated auth request where -1 is now used to signify an unspecified max_age -> ff81990
Will be released shortly as v5.11.
-
v5.13 fixes max_age=0 treatment in a few other places that got left out (client metadata -> default_max_age)
- Log in to comment