[Openid-specs-ab] Issue #872: session 4.1. Opbs is unclear and conflict with "session management memo" on wiki (openid/connect)

Phuong Le issues-reply at bitbucket.org
Tue Sep 17 15:43:58 UTC 2013


New issue 872: session 4.1. Opbs is unclear and conflict with "session management memo" on wiki
https://bitbucket.org/openid/connect/issue/872/session-41-opbs-is-unclear-and-conflict

Phuong Le:

Regarding to the spec on [openid-connect-session-1_0-15.html](http://openid.net/specs/openid-connect-session-1_0-15.html), The session_state = CryptoJS.SHA256(client_id + ' ' + e.origin + ' ' +
      opbs + [' ' + salt]) [+ "." + salt]
where opbs is browser state. Besides, opbs' type is unclear, I am not sure if it is a random string or not.

Ortherwise, regarding to the "session management memo" on [https://bitbucket.org/openid/connect/wiki/session%20management%20memo](https://bitbucket.org/openid/connect/wiki/session%20management%20memo), the session_state =  sha256(client_id + origin + idp_session_state + salt) + "." + salt. 
where obps above is replaced with "idp_session_state" and its value is defined as 1 of 3 values only.

Could you please make it clear?

Responsible: mbj


More information about the Openid-specs-ab mailing list