[Openid-specs-ab] session_state calculation

Todd W Lainhart lainhart at us.ibm.com
Tue Jan 14 19:05:25 UTC 2014

Section 4.2 of the Session Mgmt. spec talks about how the OP iframe 
calculates the session_state to be compared to that given previously to 
the RP in the auth code flow.  That section says this:

"The OP iframe MUST recalculate it from the previously obtained Client ID, 
the source origin URL (from the postMessage), and the current OP Browser 
state. If the received value and the calculated value do not match, then 
the OP iframe MUST postMessage the string changed back to the source. If 
it matched, then it MUST postMessage the string unchanged. "

...which implies that the OP will have to calculate that value at the 
authorization endpoint.

If I'm understanding this, I'm not getting how the OP can reliably know 
what the source origin URL is at the time the session_state is provisioned 
and given to the RP.

Am I missing something?  I've included the example from Section 4.2 of the 
Session Mgmt. spec below.

   -- Todd

 window.addEventListener("message", receiveMessage, false);

  function receiveMessage(e){ // e has client_id and session_state

    // Validate message origin
    client_id = message.split(' ')[0];
    session_state = message.split(' ')[1];
    var salt = session_state.split('.')[1];

    // get_op_browser_state() is an OP defined function
    // that returns the browser's login status at the OP.
    // How it is done is entirely up to the OP.
    var opbs = get_op_browser_state();

    // Here, the session_state is calculated in this particular way,
    // but it is entirely up to the OP how to do it under the
    // requirements defined in this specification.
    var ss = CryptoJS.SHA256(client_id + ' ' + e.origin + ' ' +
      opbs + [' ' + salt]) [+ "." + salt];

    if (e.session_state == ss) {
      stat = 'unchanged';
    } else {
      stat = 'changed';

    e.source.postMessage(stat, e.origin);

Todd Lainhart
Rational software
IBM Corporation
550 King Street, Littleton, MA 01460-1250
2-276-4705 (T/L)
lainhart at us.ibm.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140114/3a99a1f3/attachment.html>

More information about the Openid-specs-ab mailing list