search

openid-certification / oidctest

THE CERTIFICATION TEST SUITE HAS BEEN MIGRATED TO A NEW SERVICE https://www.certificatinon.openid.net
Other
49 stars 15 forks source link

OP-Req-max_age=10000 #186

Open DecorteHannes opened 5 years ago

DecorteHannes commented 5 years ago

Hello,

We fail the test "OP-Req-max_age=10000" because the auth_time for both flows is not the same.

  1. Due to security restrictions of the authentication method used (we have no influence on that), users need to authenticate every time a flow is performed to get a token. So there is no concept of session on the authentication provider. So the auth_time will never be the same.
  2. As we read the specifications the max-age does not require the auth_time to be the same, it requires that the auth_time is not to long age (10.000 seconds in this case). So the test seems to be "wrong" = Wrong in our case when there is no session on the authentication provider.

This results in the fact that we cannot pass certification.

Any thoughts or comments?

Regards Hannes

zandbelt commented 5 years ago

see #184

DecorteHannes commented 5 years ago

@zandbelt: Thanks. Searched for open issue but did not find it.