[Openid-specs-ab] Feedback on OpenID Connect Session Management

Thomas Broyer t.broyer at gmail.com
Tue May 31 11:37:47 UTC 2016

On Tue, May 31, 2016 at 12:32 AM John Bradley <ve7jtb at ve7jtb.com> wrote:

> I suppose some other hash could have been used besides S256.   It however
> is probably not worth the trouble to make it configurable.

It's an implementation detail of the OP, so it doesn't matter whether it's
"configurable" or not.

> I think it was Google that came up with the S256 requirement.

It's not a requirement. The requirement is to use a "salted cryptographic

> Work on that session management spec has largely stalled.  Google who
> originally proposed it, built something similar but incompatible.
> I believe Microsoft is the only one to have widely implemented it.

I found two OP implementations on GitHub (not talking about Gluu Server,
which is not actually Session Management; and also excluding my own
implementation): https://github.com/anvilresearch/connect/ and
Both use SHA256, with the same arguments, in the same order (slight
variation is that IdentityServer3 doesn't separate them with spaces). I'm
assuming everyone (including me) did the same: just do the same as the
non-normative example from the spec, not trying (or failing) to understand
the underlying reasons for the SHA256.
And mod_oauth_openidc supports it as an RP.
No idea if that qualifies as "widely implemented" (I suppose you mean
"widely deployed" here?)

> I think they are relatively happy with it in Azure.

Would love to hear from them!

Thanks for answering anyway!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160531/28a83801/attachment-0001.html>

More information about the Openid-specs-ab mailing list