Final: OpenID Provider Authentication Policy Extension 1.0 : Authentication Protocol (俺約)

 

5.  Authentication Protocol (認証プロトコル)



TOC


5.1.  Request Parameters (要求パラメータ)

The following parameters MUST be included during an OpenID Authentication request (specs@openid.net, “OpenID Authentication 2.0,” 2007.) [OpenIDAuthentication2.0] by the Relying Party that uses this extension unless marked as optional.

  • openid.ns.pape

    Value:

    http://specs.openid.net/extensions/pape/1.0
  • openid.pape.max_auth_age (認証期限)

    (Optional) If the End User has not actively authenticated to the OP within the number of seconds specified in a manner fitting the requested policies, the OP SHOULD authenticate the End User for this request using the requested policies. The OP MUST actively authenticate the user and not rely on a browser cookie from a previous authentication.

    Value: Integer value greater than or equal to zero in seconds. (0秒以上の整数)

    If an OP does not satisfy a request for timely authentication, the RP may decide not to grant the End User access to the services provided by the RP. If this parameter is absent from the request, the OP should authenticate the user at its own discretion.

  • openid.pape.preferred_auth_policies (認証方針)

    Zero or more authentication policy URIs representing authentication policies that the OP SHOULD satisfy when authenticating the user. If multiple policies are requested, the OP SHOULD satisfy as many of them as it can.

    Value: Space separated list of authentication policy URIs. (ポリシーをスペースで区切る)

    If no policies are requested, the RP may be interested in other information such as the authentication age. (ポリシーがないならばRPが認証期限などのほかの情報のみに興味があるとみなされる)

    Example:

    openid.pape.preferred_auth_policies=
      http://schemas.openid.net/pape/policies/2007/06/phishing-resistant
      http://schemas.openid.net/pape/policies/2007/06/multi-factor

  • openid.pape.auth_level.ns.<cust> (カスタム認証レベル)

    (Optional) The name space for the custom Assurance Level. Assurance levels and their name spaces are defined by various parties, such as country or industry specific standards bodies, or other groups or individuals.

    Value: URL that represents this Assurance Level.

    Example:

    openid.pape.auth_level.ns.nist=
      http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
    openid.pape.auth_level.ns.jisa=
      http://www.jisa.or.jp/spec/auth_level.html

  • openid.pape.preferred_auth_level_types (認証レベル)

    (Optional) A list of the name space aliases for the custom Assurance Level name spaces that the RP requests be present in the response, in the order of its preference. (カスタム認証レベルの名前空間エイリアス一覧)

    Value: Space separated list of the name space aliases, in the order of the RP’s preference. (スペースで区切る。RPの嗜好の順)

    Example:

    openid.pape.preferred_auth_levels=jisa nist


TOC

5.2.  Response Parameters (応答パラメータ)

In response to a Relying Party’s request, the following parameters MUST be included in the OpenID Authentication Response. All response parameters MUST be included in the signature of the Authentication Response. It is RECOMMENDED that an OP supporting this extension include the following parameters even if not requested by the Relying Party. (RPがリクエストしなかったとしても以下のパラメータを含めることが推奨されます)

All response parameters MUST describe the End User’s current session with the OpenID Provider.

  • openid.ns.pape

    Value:

    http://specs.openid.net/extensions/pape/1.0

  • openid.pape.auth_policies (認証方針)

    One or more authentication policy URIs representing policies that the OP satisfied when authenticating the End User. (OPが満たした認証ポリシーをすべて記載)

    Value: Space separated list of authentication policy URIs. (URIをスペース区切りで)

    Note: If no policies were met though the OP wishes to convey other information in the response, this parameter MUST be included with the value of http://schemas.openid.net/pape/policies/2007/06/none. (何も満たさないのであれば特殊URIを入れる)

    Example:

    openid.pape.auth_policies=
      http://schemas.openid.net/pape/policies/2007/06/multi-factor
      http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical

  • openid.pape.auth_time (認証時刻)

    (Optional) The most recent timestamp when the End User has actively authenticated to the OP in a manner fitting the asserted policies.

    Value: The timestamp MUST be formatted as specified in section 5.6 of [RFC3339] (Klyne, G. and C. Newman, “Date and Time on the Internet: Timestamps,” .) , with the following restrictions:

    • All times must be in the UTC time zone, indicated with a "Z".
    • No fractional seconds are allowed

    Example:

    2005-05-15T17:11:51Z

    Note: If the RP’s request included the "openid.pape.max_auth_age" parameter then the OP MUST include "openid.pape.auth_time" in its response. If "openid.pape.max_auth_age" was not requested, the OP MAY choose to include "openid.pape.auth_time" in its response.

  • openid.pape.auth_level.ns.<cust> (カスタム認証レベル名前空間)

    (Optional) The name space for the custom Assurance Level defined by various parties, such as a country or industry specific standards body, or other groups or individuals.

    Value: URL that represents this Assurance Level.

    Example:

    openid.pape.auth_level.ns.nist=
      http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
    openid.pape.auth_level.ns.jisa=
      http://www.jisa.or.jp/spec/auth_level.html

  • openid.pape.auth_level.<cust> (採用されたカスタム認証レベル)

    (Optional) The Assurance Level as defined by the above standards body, group, or individual that corresponds to the authentication method and policies employed by the OP when authenticating the End User. A custom Assurance Level definition MAY define additional subparameter values that are expressed within its namespace, although for reasons of simplicity, this SHOULD be avoided if possible.

    Value: Strings defined according to this Assurance Level.

    Example:

    openid.pape.auth_level.nist=1
    openid.pape.auth_level.jisa=2

Final: OpenID Provider Authentication Policy Extension 1.0

カテゴリー: 未分類 パーマリンク

コメントを残す

以下に詳細を記入するか、アイコンをクリックしてログインしてください。

WordPress.com ロゴ

WordPress.com アカウントを使ってコメントしています。 ログアウト / 変更 )

Twitter 画像

Twitter アカウントを使ってコメントしています。 ログアウト / 変更 )

Facebook の写真

Facebook アカウントを使ってコメントしています。 ログアウト / 変更 )

Google+ フォト

Google+ アカウントを使ってコメントしています。 ログアウト / 変更 )

%s と連携中