Skip to content

max_age and auth_time #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jul 8, 2025
Merged

max_age and auth_time #4

merged 5 commits into from
Jul 8, 2025

Conversation

@deansaxe
Copy link
Contributor

@deansaxe deansaxe commented Jun 17, 2025

Updated to address needs of FAL2 in openid/ipsie#90 and openid/ipsie#89.

@deansaxe
max_age and auth_time
ff44a99 
Updated to address needs of FAL2.
@deansaxe deansaxe self-assigned this Jun 17, 2025
@deansaxe deansaxe requested a review from aaronpk as a code owner June 17, 2025 15:59
@ttripp
Copy link

ttripp commented Jun 17, 2025

For reference:

max_age
OPTIONAL. Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to actively re-authenticate the End-User. (The max_age request parameter corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] max_auth_age request parameter.) When max_age is used, the ID Token returned MUST include an auth_time Claim Value. Note that max_age=0 is equivalent to prompt=login.

https://openid.net/specs/openid-connect-core-1_0.html

deansaxe added 3 commits June 17, 2025 13:42
@deansaxe
Update draft-openid-ipsie-sl1-profile.md
2726335 
Follow up from discussion on June 17, 2025 call.

Updated the requirements to mandate the OP process the `max_age` property.  If the elapsed time since authN is < `max_age`, the OP MAY force reauthentication.  If the elapsed time is > `max_age`, the OP MUST force reauthentication.
@deansaxe
RP requirements for max_age
d390c84 
Updated to make it optional for the RP to send the `max_age` parameter.
@deansaxe
Fixed nits which broke the build
43ea81a 
Removed trailing spaces.
gffletch
gffletch reviewed Jul 2, 2025
View reviewed changes
@gffletch
Copy link

gffletch commented Jul 2, 2025

I missed the call on Jul 1 so don't know if this is resolved or not. I think we need to define what is meant my "end user authentication" (i.e. did the user need to do something? or is a silent authentication sufficient?). The OpenID Connect spec text also seems to imply ensuring that the authentication ensures the End-User is the same human who originally authenticated. I'm not sure we have good ways to do that other than biometric based challenges.

Maybe we can define this to mean that sufficient verification is performed by the OP to ensure that authentication methods bound to the identity associated with the session have been successfully completed.

@deansaxe
Copy link
Contributor Author

deansaxe commented Jul 2, 2025
edited
Loading

@gffletch see the notes from July 1.

We determined that the auth_time claim and amr claims should be paired. However, that doesn't resolve the issue of the auth_time if amr has multiple values. @aaronpk and I spoke this morning, we think there needs to be an extension to the core spec which enables the RP to determine the auth_time for each amr value. At first glance, a JSON array such as follows would meet the need.

"amr": "phr, rba"
"auth_time_amr" : [
  {"auth_time": 1311280969, "amr": "rba"} 
  {"auth_time": 1311280000, "amr": "phr"}
]

This is an example and may not be acceptable syntax, but it should give you an idea of what we're thinking about. I'm open to other ideas of how to represent the mapping of 2..n amr claims to the auth_time of each claim.

@deansaxe deansaxe mentioned this pull request Jul 3, 2025
Closed
@aaronpk aaronpk mentioned this pull request Jul 8, 2025
Closed
@aaronpk aaronpk merged commit d152411 into main Jul 8, 2025
2 checks passed
@aaronpk aaronpk deleted the deansaxe-FAL2-1 branch July 8, 2025 16:54
@deansaxe deansaxe mentioned this pull request Jul 9, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aaronpk aaronpk aaronpk approved these changes

+1 more reviewer

@gffletch gffletch gffletch left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@deansaxe deansaxe

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@deansaxe @ttripp @gffletch @aaronpk