[Openid-specs-ab] Cookies present on OpenID Connect Session Management
Andreas Åkre Solberg
andreas.solberg at uninett.no
Wed Aug 24 04:57:51 UTC 2011
On the refresh session and end session endpoints, in 3.2.1 and 3.2.3, cookies are not mentioned.
While the spec give the impression that these calls will be performed front-channel, I'm not sure if it is explicitly mentioned. Implementors might (with good reasons) try at least two alternatives:
1. Do a completely backchannel call,
2. Do the requests in a hidden iframes.
The first, will cause a problem if the provider expects cookies to be present; which is likely to happen as there is no session indentifier in the id_token.
The second may cause problems with cookies in some rare browser settings.
Both will cause problems when the provider decides to involve user interaction; as part of in.e. the logout flow.
May be it would be a good idea to add a 'display' parameter to these endpoints.
More information about the Openid-specs-ab