-
assigned issue to
Michael Jones
How to treat a zero max_age request parameter?
Issue #993
resolved
The core spec is not clear how an OP must treat an OpenID authentication request with max_age=0, and this question was raised by a developer:
-
Leave it up to the OP to decide whether the end-user is to be (re)authenticated (same as max_age omitted)?
-
Treat it as a prompt=login request?
OpenID PAPE also appears ambiguous on this. Is there an established practise when max_age=0?
Vladimir
Comments (3)
-
-
reporter
Thank you Mike, I'll update our Java OIDC SDK and examples accordingly.
-
- changed status to resolved
Fixed
#993- How to treat a zero max_age request parameter→ <<cset 46e74dc71c15>>
- Log in to comment
This is effectively prompt=login. We can add a comment to that effect.