1. connect2id Avatar connect2id
  2. OAuth
  3. OAuth 2.0 SDK with OpenID Connect extensions
  4. Issues

Parsing max_age parameter

Issue #180 resolved
Sergey Akhapkin created an issue
  • Allows negative values while spec states:

OpenID Connect Core: The max_age request parameter corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] max_auth_age request parameter ...

OpenID PAPE: penid.pape.max_auth_age .... Value: Integer value greater than or equal to zero in seconds.

  • There is no difference between 0 value and missing that value in request, although spec is not fully clear here (e.g. how to treat 0 - looks like same as prompt=login), I guess it allows different behavior:

OpenID Core:

Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP.

OpenID PAPE:

If the End User has not actively authenticated to the OP within the number of seconds specified in a manner fitting the requested policies, the OP SHOULD authenticate the End User for this request using the requested policies.

OpenID PAPE:

If this parameter is absent from the request, the OP should authenticate the user at its own discretion.

Comments (8)

  2. Connect2id OSS

    We'll update the code so that negative max_age values are not allowed, and on parsing an auth request they will produce an invalid_request error.

    As for the treatment of zero, this seems ambiguous. Should be treated as ignore, or prompt=login? We'll raise the question with the OIDC WG. Stay tuned.

  8. Vladimir Dzhuvinov

    v5.13 fixes max_age=0 treatment in a few other places that got left out (client metadata -> default_max_age)

  9. Log in to comment
Assignee
Type
proposal
Priority
minor
Status
resolved
Milestone
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!