[Openid-specs-ab] Comments on OpenID Connect Session Management

Torsten Lodderstedt torsten at lodderstedt.net
Sun Mar 26 12:54:48 UTC 2017

Hi all,

since we are in voting for Implementer’s Draft now, I gave it another read. Here are my comments:

- Section 3: Why is session_state a parameter and not an id token claim? I assume this parameter is supposed to be returned as part of the redirect to the RP (implicit) or in the token response. At least in case of the redirect, it could be modified. Why taking this risk?

- Note: I think it would be very helpful for all readers if the spec would include HTTP request/response examples (like all other OIDC specs).

- Section 4.1.: the JS source code posts the message to „targetOrigin“ - How is the RP supposed to determine this URL? Is it the issuers base URL? Is it the value of the check_session_iframe meta data claim?

- Section 4.2: “The computation of the session state returned in response to unsuccessful Authentication …“  
What is considered an Authentication response in this context? The OIDC authentication response or any postMessage among RP and OP frame? If it is the OIDC authentication request, I wouldn’t expect it to return any session state in case of an error but the usual error information only.

- Section 5.1: Isn’t the “Redirection to RP After Logout” a potential open redirector? I think there is a need to make redirect URI checks required.

- General note: I think it would be beneficially to add some text regarding the impact of strict 3rd party cookie policies on this mechanism.

kind regards,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3581 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170326/a99967a6/attachment.p7s>

More information about the Openid-specs-ab mailing list