add default_max_age to Registration

Specifies that the End-User must be actively authenticated if the present authentication is older than the specified number of seconds.

This is not a highly dynamic value. likely a Client will have a fixed rule about logins over 24h old or something like that. I propose setting a default for the client that can be overridden by the request_object.

default_max_age OPTIONAL. (max authentication age): Specifies that the End-User must be actively authenticated if any present authentication is older than the specified number of seconds. (The default_max_age request parameter corresponds to the OpenID 2.0 PAPE. This parameter is overridden by max_age in the request parameter if present.

I am going with setting a default and over riding it with the request object as having multiple client_id will mess up session management and other things for the client.

Comments (2)