[Openid-specs-ab] Possibly using session_state in logout and prompt=none requests

John Bradley ve7jtb at ve7jtb.com
Tue Jul 1 21:51:39 UTC 2014


In the current session management spec the session_management parameter is used to prevent correlation, or information leaking to third parties invoking the API.

I suppose that depending how the IdP crates the value it could be unique enough to identify the session, though I don't think that is guaranteed by the current spec.

An IdP might support the logout api but not the rest of the JS session management, in that case there wouldn't be a session_state to send.

Sending the id_token_hint is not required, but is probably a good idea if the IdP supports multiple logins. 

I think trying to use it in place of the id_token_hint is more of a stretch.   The id_token_hint is required when you are trying to log someone in again as the same account after the session has expired. So adding another hint beyond the id_token and login_hint may cause more confusion than it is worth.

I am happy to discuss the idea if you like.

The Google folks should chime in on if this would fit the design of the parameter or if the parameter was just intended to provide entropy and not be unique.

John B.




On Jun 30, 2014, at 8:46 PM, Mike Jones <Michael.Jones at microsoft.com> wrote:

> Some Microsoft product people have asked whether session_state could be used in logout requests as an alternative to using the id_token_hint.  A secondary related ask would be to be able to use the session_state instead of id_token_hint in prompt=none requests.
>  
> The logic behind this request is that then the RP would only need to persist the session_state value and not the id_token value.
>  
> It's not clear whether in the general case, session_state would have sufficient information for this to work.  It would be good to get a sense what people have in their session_state values now (which are opaque to the RP).
>  
> Another possible downside to this is that since session management is optional, RPs would still have to have code to persist the id_token for prompt=none requests for OPs that don’t support session management.
>  
> Comments?
>  
>                                                                 -- Mike
>  
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140701/2006dca2/attachment-0001.html>


More information about the Openid-specs-ab mailing list