[Openid-specs-ab] Comments on OpenID Connect Session Management

Mike Jones Michael.Jones at microsoft.com
Sun Mar 26 21:01:27 UTC 2017

Thanks for the useful review comments, Torsten.  I agree that adding some examples like the other specs would be a good idea.

Breno should probably be the one to respond to the session_state vs. ID Token question and the targetOrigin question.

Yes, I think it's the Connect Authentication Response that's being talked about in 4.2.  I'll think about this some more.

The post_logout_uri isn't an open redirector because it's registered.

Relevant third party cookie text should probably be added to all the logout specs.  This is actually tracked as issue #1003 https://bitbucket.org/openid/connect/issues/1003/document-possible-impacts-of-disabling.  Would you like to work on some text for this this week?

				Thanks again,
				-- Mike

-----Original Message-----
From: Torsten Lodderstedt [mailto:torsten at lodderstedt.net] 
Sent: Sunday, March 26, 2017 5:55 AM
To: openid-specs-ab at lists.openid.net; breno at google.com; Mike Jones <Michael.Jones at microsoft.com>
Subject: Comments on OpenID Connect Session Management

Hi all,

since we are in voting for Implementer’s Draft now, I gave it another read. Here are my comments:

- Section 3: Why is session_state a parameter and not an id token claim? I assume this parameter is supposed to be returned as part of the redirect to the RP (implicit) or in the token response. At least in case of the redirect, it could be modified. Why taking this risk?

- Note: I think it would be very helpful for all readers if the spec would include HTTP request/response examples (like all other OIDC specs).

- Section 4.1.: the JS source code posts the message to „targetOrigin“ - How is the RP supposed to determine this URL? Is it the issuers base URL? Is it the value of the check_session_iframe meta data claim?

- Section 4.2: “The computation of the session state returned in response to unsuccessful Authentication …“  
What is considered an Authentication response in this context? The OIDC authentication response or any postMessage among RP and OP frame? If it is the OIDC authentication request, I wouldn’t expect it to return any session state in case of an error but the usual error information only.

- Section 5.1: Isn’t the “Redirection to RP After Logout” a potential open redirector? I think there is a need to make redirect URI checks required.

- General note: I think it would be beneficially to add some text regarding the impact of strict 3rd party cookie policies on this mechanism.

kind regards,

More information about the Openid-specs-ab mailing list