[Openid-specs-ab] Session - session change notification through postMessage

Nat Sakimura sakimura at gmail.com
Thu Jun 7 16:08:57 UTC 2012

Now that I am trying to write down the session management spec, I am
looking at the whiteboards photo of the session management f2f back in May.

Here is what I understand right now for session change notification.
Correct me if I am wrong:

*Step 0. RP constructs session_state via any authn response from IdP *

session_state = sha256(client_id + origin + idp_session_state + salt) + "."
+ salt.

idp_session_state is either "no_user", "not_authenticated", "

*Step 1. RP loads RP frame  *

After the frame loads, following function is available

boolean hasChanged(client_id, session_state)

This function postMessage to the IdP frame
  win = window.parent.document.getElementById("idp").contentWindow.

Thus, win.postMessage(string, targetOrigin);

  where string = client_id + "." + session_state;
      targetOrigin = scheme + "://" + domain name of the IdP + (":" + port

Also, it needs to add Event Listener to receive message from the IdP frame
for the type "message".

window.addEventListner("message", receiveMessage, false);

Function receiveMessage(event) checks if event.origin === targetOrigin.
If not, it MUST return error.

event.data contains either "unchanged" or "changed".
If "unchanged", return false.
Else, return true.

*Step 2. RP loads IdP frame*

The IdP frame receives postMessage from the RP frame.
The event listener function MUST check if event.origin === RP URL.
event.data contains client_id and session_state.
Cookie has idp_session_state. Origin is event.origin.
Thus session_state can be re-calculated.
If received session_state and the calculated session_state is equal,
it should do:
   event.source.postMessage('unchanged', event.origin);
   event.source.postMessage('changed', event.origin);

*Step 3. RP polls the IdP Frame.*

window.settimeout(checkState, 30000);

function checkState
   if(hasChanged(client_id, session_state) ) {

function onStateChange
  --> first attempt to revalidate current session via propt:none authn
request including id_token or a user hint for the session.

Nat Sakimura (=nat)
Chairman, OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120608/f39ea63e/attachment.html>

More information about the Openid-specs-ab mailing list