Google OpenID Connect: Receiving a 500 error when supplying the “max_age” parameter to an authentication request

我的未来我决定 提交于 2019-12-30 14:08:48

问题


As required by Google, we are attempting to finish our migration from Google's previous OpenID Authentication flow to the new OpenID Connect implementation. Everything has been relatively straightforward up until we attempted to use the max_age parameter (as defined in the openid-connect-core spec), which serves to replace the OpenID pape extension parameter: max_auth_age.

Supplying the max_age parameter doesn't break the authentication request right away, but only after the user successfully re-authenticates himself with Google; after which Google returns a 500 error:

  1. That’s an error.

There was an error. Please try again later. That’s all we know.

Discarding the parameter averts the 500 error, but does not fix the problem, seeing as we require re-authentication before entry to certain areas of our sites.

The Authentication request URL appears to be properly constructed and valid. Again, it works fine without the max_age parameter. Example request with max_age=0.


回答1:


Google does not honor the max_age parameter and may be considered to be outside of the spec on that one. Yet they have sound reasoning for it (see: http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20150323/005445.html) that boils down to the fact that they don't want the RP to take full control over re-authentication with a "one size fits all" feature and some additional security considerations.

I'm hoping someone from Google will reply here as well with their plans going forward but for now there's nothing that you can do about it.




回答2:


As of this week, Google accepts the max_age parameter, and will return an auth_time claim in the ID Token when max_age is passed.

However, regardless of the value of max_time parameter, users won't be prompted to reauthenticate based on their session time, as that is not a pattern Google supports. Rather, users are asked to reauthenticate only when it is deemed necessary (e.g. the user is accessing their account from a new location).

If you need to reauthenticate users on your own site, you are encouraged to do so via another means.



来源:https://stackoverflow.com/questions/29748579/google-openid-connect-receiving-a-500-error-when-supplying-the-max-age-parame

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!