Add additional requirements/options for OPs and RPs regarding re-auth…

draft-openid-ipsie-sl1-profile.md

@@ -165,7 +165,9 @@ For the authorization code flow, OpenID Providers:
 * MUST NOT use the HTTP 307 status code when redirecting a request that contains user credentials to avoid forwarding the credentials to a third party accidentally (see {{Section 4.12 of RFC9700}});
 * SHOULD use the HTTP 303 status code when redirecting the user agent using status codes;
 * MUST support `nonce` parameter values up to 64 characters in length, and MAY reject `nonce` values longer than 64 characters.
-* MUST support the `max_age` parameter with a values representing the maximum number of seconds allowable since the user was authenticated by the OP. If the elapsed time since authentication is less than this value, the OP MAY choose to actively reauthenticate the user.  If the elapsed time since authentication is greater than this value, the OP MUST actively reauthenticate the user.
+* MUST support `prompt=login` where if specified, the OP MUST explicitly (re)authenticate the user using a user visible challenge. If the user is currently logged in as determined by the OP, then the OP MUST only re-authenticate that user.
+* MUST support the `max_age` parameter with a value representing the maximum number of seconds allowable since the user was authenticated by the OP. If the elapsed time since authentication is less than the specified value OR the OP can silently authenticate the user and issue a new `auth_time` within the required `max_age`, then no user visible authentication is required. The OP MAY choose to explicitly (re)authenticate the user regardless.
+* MUST support `max_age` combined with `prompt=none` where if specified, the OP MUST NOT engage the user in any visible user experience. If the elapses time since authentication is greater than the value specified and the OP can not silently re-authenticate the user, the OP MUST return an error. 
 
 Note 1: while both nonce and PKCE can provide protection from authorization code injection, nonce relies on the client (RP) to implement and enforce the check, and the IdP is unable to verify that it has been implemented correctly, and only stops the attack after tokens have already been issued. Instead, PKCE is enforced by the IdP and stops the attack before tokens are issued.
 
@@ -195,7 +197,9 @@ For the authorization code flow, Relying Parties:
 * MUST generate the PKCE challenge specifically for each authorization request and securely bind the challenge to the client and the user agent in which the flow was started;
 * MUST check the `iss` parameter in the authorization response according to [RFC9207] to prevent mix-up attacks;
 * SHOULD NOT use `nonce` parameter values longer than 64 characters;
+* SHOULD use `prompt=login` if the RP wants to ensure that the user is visibly challenged for (re)authentication
 * SHOULD use the `max_age` parameter in the authentication request to specify the maximum allowable authentication age to the OP in seconds.  The value of the `max_age` parameter MAY be determined based upon the business rules of the RP.
+* SHOULD user `max_age` and `prompt=none` if the RP wants to ensure that the user is not visibly challenged for (re)authentication.
 
 In addition to the ID Token validation requirements described in Section 3.1.37 of [OpenID], Relying Parties: