[Openid-specs-ab] Feedback on OpenID Connect Session Management

Dominick Baier dbaier at leastprivilege.com
Wed Jun 1 09:58:01 UTC 2016

IdentityServer is widely deployed.

Dominick Baier

On 31 May 2016 at 13:38:06, Thomas Broyer (t.broyer at gmail.com) wrote:

On Tue, May 31, 2016 at 12:32 AM John Bradley <ve7jtb at ve7jtb.com> wrote:
I suppose some other hash could have been used besides S256.   It however is probably not worth the trouble to make it configurable.

It's an implementation detail of the OP, so it doesn't matter whether it's "configurable" or not.
I think it was Google that came up with the S256 requirement.

It's not a requirement. The requirement is to use a "salted cryptographic hash".
Work on that session management spec has largely stalled.  Google who originally proposed it, built something similar but incompatible. 
I believe Microsoft is the only one to have widely implemented it.

I found two OP implementations on GitHub (not talking about Gluu Server, which is not actually Session Management; and also excluding my own implementation): https://github.com/anvilresearch/connect/ and https://github.com/IdentityServer/IdentityServer3/
Both use SHA256, with the same arguments, in the same order (slight variation is that IdentityServer3 doesn't separate them with spaces). I'm assuming everyone (including me) did the same: just do the same as the non-normative example from the spec, not trying (or failing) to understand the underlying reasons for the SHA256.
And mod_oauth_openidc supports it as an RP.
No idea if that qualifies as "widely implemented" (I suppose you mean "widely deployed" here?)
I think they are relatively happy with it in Azure.

Would love to hear from them!

Thanks for answering anyway!
Openid-specs-ab mailing list  
Openid-specs-ab at lists.openid.net  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160601/13a1ffd6/attachment.html>

More information about the Openid-specs-ab mailing list