Reputation: 879
Force users to re-authenticate in OpenId using DotNetOpenAuth
I am attempting to use pape.MaximumAuthenticationAge to force users to re-authenticate with the OP, but the samples in DotNetOpenAuth do not seem to handle it.
After reading DotNetOpenAuth "Sign Out" Button and http://openid.net/specs/openid-provider-authentication-policy-extension-1_0.html#anchor8 this seems like the right way to do it.
Please would someone confirm that this is the right way to do it and suggest what changes I need to make in the OP example to make it happen. Thanks.
Upvotes: 1
Views: 984
Answers (1)
Reputation: 36
You're correct, OpenId allows you to apply a 'max auth age' condition to requests that will instruct the OP to authenticate when the End User has not authenticated within -n- seconds. By setting this parameter to '1', you can effectively force the OP to re-authenticate the End User.
However, do NOT assume that every Provider has implemented functionality to enforce the 'max auth age' parameter. This may be the cause of any unexpected behavior that you're seeing.
From the docs:
If an OP does not satisfy a request for timely authentication, the RP may decide not to grant the End User access to the services provided by the RP.
Use the following page to test support for this parameter on a OP by OP basis: http://test-id.org/OP/MaxAuthAge.aspx
Upvotes: 1
Related Questions
- Re-authentication using Identity Server 4
- OpenIdConnect RefreshToken handling in Asp.Net Core
- How to disable dynamic sign up with Open ID provider during client authentication flow?
- How do I force OAuth2 access token expiration with DotNetOpenAuth
- DotNetOpenAuth Login without asking credential in second Time (if less then 10 to 15 Sec)
- OpenId authentication vulnerability
- How do I reset dotnetauth on the open id providers' sides?
- DotNetOpenAuth for previously authorized site
- DotNetOpenAuth autopostback
- DotNetOpenId — Getting replay attack failure with programmatic and web logins