How to treat a zero max_age request parameter?

Issue #993 resolved
Vladimir Dzhuvinov created an issue

The core spec is not clear how an OP must treat an OpenID authentication request with max_age=0, and this question was raised by a developer:

  1. Leave it up to the OP to decide whether the end-user is to be (re)authenticated (same as max_age omitted)?

  2. Treat it as a prompt=login request?

OpenID PAPE also appears ambiguous on this. Is there an established practise when max_age=0?


Comments (3)

  1. Log in to comment