[Openid-specs-ab] Session Management Spec

Emmanuel Raviart emmanuel at raviart.com
Wed Jul 4 08:18:26 UTC 2012

I am trying to implement this preliminary spec and I have a first question.

In section "4.1 OP iframe", it is written:

"The value of the aud field [in the "user_hint" ID Token], which is a 
client_id of the RP, is used to set the source origin for the 
postMessage request"

"The OP iframe MUST accept the postMessage from the source origin that 
was registered with the client. It MUST reject the postMessage request 
from other source origin."

But I don't see how the source origin is set from the client_id. Is it 
the host URL extracted from the redirect_uri or is it a new item in 
client registration or... ?


On 06/28/2012 07:50 AM, Nat Sakimura wrote:
> Since I did not receive any additional comments,
> I have committed it to the working repository (bitbucket).
> HTML version is here:
> http://openid.bitbucket.org/openid-connect-session-1_0.html
> With it, I would like to ask the working group to consider adding the
> following two items int eh OP Configuration file.
> OP iframe URL
>     The URL from which OP iframe is being loaded. This URL provides a
>     page that accepts postMessage from the relevant RP iframe and
>     postMessage back the login status of the user at the OP.
> OP Logout endpoint URL
>     The URL that initiate the user logout at the OP.
> The name for the each variable could be something like:
> op_session_iframe_url
>     and
> op_logout_url
> Best,
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

More information about the Openid-specs-ab mailing list