0

As required by Google, we are attempting to finish our migration from Google's previous OpenID Authentication flow to the new OpenID Connect implementation. Everything has been relatively straightforward up until we attempted to use the max_age parameter (as defined in the openid-connect-core spec), which serves to replace the OpenID pape extension parameter: max_auth_age.

Supplying the max_age parameter doesn't break the authentication request right away, but only after the user successfully re-authenticates himself with Google; after which Google returns a 500 error:

  1. That’s an error.

There was an error. Please try again later. That’s all we know.

Discarding the parameter averts the 500 error, but does not fix the problem, seeing as we require re-authentication before entry to certain areas of our sites.

The Authentication request URL appears to be properly constructed and valid. Again, it works fine without the max_age parameter. Example request with max_age=0.

William Denniss
  • 16,089
  • 7
  • 81
  • 124
Adam
  • 11
  • 2

2 Answers2

1

Google does not honor the max_age parameter and may be considered to be outside of the spec on that one. Yet they have sound reasoning for it (see: https://lists.openid.net/pipermail/openid-specs-ab/2015-March/005445.html) that boils down to the fact that they don't want the RP to take full control over re-authentication with a "one size fits all" feature and some additional security considerations.

I'm hoping someone from Google will reply here as well with their plans going forward but for now there's nothing that you can do about it.

ZachB
  • 13,051
  • 4
  • 61
  • 89
Hans Z.
  • 50,496
  • 12
  • 102
  • 115
  • Yes, definitely hoping to get a reply from someone at Google. There doesn't appear to be any other obvious channel for developer support or bug reports other than SO. I'm not so sure they do not honor the `max_age` parameter since it definitely alters the authentication flow, requiring that the user re-enter their credentials - as expected. Returning a 500 after re-authentication is more indicative of a misconfiguration or bug. – Adam Apr 20 '15 at 21:12
  • People from Google keep an eye on the `google-oauth` and `google-openid` SO tags. The docs (e.g. https://developers.google.com/identity/protocols/OpenIDConnect) specifically suggest posting here, so you've come to the right place. – William Denniss Apr 20 '15 at 22:07
1

As of this week, Google accepts the max_age parameter, and will return an auth_time claim in the ID Token when max_age is passed.

However, regardless of the value of max_time parameter, users won't be prompted to reauthenticate based on their session time, as that is not a pattern Google supports. Rather, users are asked to reauthenticate only when it is deemed necessary (e.g. the user is accessing their account from a new location).

If you need to reauthenticate users on your own site, you are encouraged to do so via another means.

William Denniss
  • 16,089
  • 7
  • 81
  • 124