[Openid-specs-ab] An alternative session management proposal
roland.hedberg at adm.umu.se
Mon Nov 5 07:41:24 UTC 2012
Has my support!
5 nov 2012 kl. 05:40 skrev "Richer, Justin P." <jricher at mitre.org>:
> I would like to propose an alternative method of handling session management in OpenID Connect. I believe that we can build this capability by making use of the id_token with a set of existing and proposed token management capabilities in OAuth2.
> Starting a new session is easy -- this is just vanilla OpenID Connect token issuance as it exists today. The id_token that you get issued is the representation of your session.
> Checking on the status is done through an Introspection Endpoint, using the id_token as an access_token. The community hasn't fully centered around a draft for an Introspection Endpoint yet, but there was a lot of interest in it at the last IIW and I think that there are some legs to this general mechanism. This also gives you dumb-client validation, which was thrown out with the Check ID Endpoint.
> Renewing the session is a little tricky, but since the id_token is a JWT, I think we can use the Assertion flow of OAuth2 to trade in one id_token for a new one. There are also a handful of approaches being discussed around methods of trading in one access token for another access token which might apply here.
> Ending a session is simply calling the Revocation Endpoint with the id_token. Note that this might keep the refresh token and access token still valid in the wild, depending on the application. Separation of these life cycles is, I argue, a good thing.
> In summary, I think this approach is much more simple to implement and architecturally more elegant, and all of the tools it would use to do its job would have general applicability in the wider OAuth2 world.
IT Architect/Senior Researcher
ICT Services and System Development (ITS)
SE-901 87 Umeå, Sweden
Phone +46 90 786 68 44
Mobile +46 70 696 68 44
More information about the Openid-specs-ab