Once more, LJ valid_to timespan.
brad at danga.com
Thu Jul 7 11:18:53 PDT 2005
On Thu, 7 Jul 2005, Grant Monroe wrote:
> On 7/6/05, Brad Fitzpatrick <brad at danga.com> wrote:
> > I've also been out of town until tonight.
> > I'd love to start this conversation back up.
> If I am understanding things correctly, livejournal is only looking at
> the valid_to field in the check_authentication step for dumb clients.
> The openid.valid_to timestamp is created by the server along with the
> openid.issued timestamp. Shouldn't the server just be able to look at
> the issued field and decide whether it has been too long?
> The other interpretation of this field seems to be some sort of
> advisory timestamp that the server sends to a consumer for when the
> user needs to reauthenticate. In this case, I'm guessing most
> consumers are just going to ignore this value and do whatever they
> normally do for user sessions.
> I don't think that either of these cases has much merit, and my vote
> is to remove it from the spec.
That's my thinking too. Keep issued, but ditch valid_to.
check_authentication would then change to "is_valid" or something.
I think a "session & sign-off extension" could be added later, but OpenID
as it is should remain a one-time assertion protocol.
More information about the yadis