<font size=2 face="sans-serif">Thanks John.</font>
<br>
<br><font size=2 face="sans-serif">> </font><font size=3>The client
is communicating via post message to the JS hosted at the IDP. In
that call the JS origin of the caller is available. </font>
<br><font size=2 face="sans-serif"><br>
I've got that part. But the session_state that the RP is passing
in the JS is the one that was given to it by the OP during the auth_code
flow. According to the comparison algorithm, that session_state must
include in its hash the client's origin, which is known to the browser,
not the OP.</font>
<br>
<br><font size=2 face="sans-serif">Maybe I'm missing something obvious.</font>
<br>
<table width=223 style="border-collapse:collapse;">
<tr height=8>
<td width=223 bgcolor=white style="border-style:solid;border-color:#000000;border-width:0px 0px 0px 0px;padding:0px 0px;"><font size=1 face="Verdana"><b><br>
<br>
<br>
Todd Lainhart<br>
Rational software<br>
IBM Corporation<br>
550 King Street, Littleton, MA 01460-1250</b></font><font size=1 face="Arial"><b><br>
1-978-899-4705<br>
2-276-4705 (T/L)<br>
lainhart@us.ibm.com</b></font></table>
<br>
<br>
<br>
<br>
<br><font size=1 color=#5f5f5f face="sans-serif">From:
</font><font size=1 face="sans-serif">John Bradley <ve7jtb@ve7jtb.com></font>
<br><font size=1 color=#5f5f5f face="sans-serif">To:
</font><font size=1 face="sans-serif">Todd W Lainhart/Lexington/IBM@IBMUS,
</font>
<br><font size=1 color=#5f5f5f face="sans-serif">Cc:
</font><font size=1 face="sans-serif">"openid-specs-ab@lists.openid.net"
<openid-specs-ab@lists.openid.net>, Breno de Medeiros <breno@google.com></font>
<br><font size=1 color=#5f5f5f face="sans-serif">Date:
</font><font size=1 face="sans-serif">01/14/2014 02:57 PM</font>
<br><font size=1 color=#5f5f5f face="sans-serif">Subject:
</font><font size=1 face="sans-serif">Re: [Openid-specs-ab]
session_state calculation</font>
<br>
<hr noshade>
<br>
<br>
<br><font size=3>Breno is probably going to give a better answer.
</font>
<br>
<br><font size=3>The client is communicating via post message to the JS
hosted at the IDP. </font>
<br><font size=3>In that call the JS origin of the caller is available.
</font>
<br>
<br><font size=3>John B <br>
<br>
Sent from my iPhone</font>
<br><font size=3><br>
On Jan 14, 2014, at 12:05 PM, Todd W Lainhart <</font><a href=mailto:lainhart@us.ibm.com><font size=3 color=blue><u>lainhart@us.ibm.com</u></font></a><font size=3>>
wrote:<br>
</font>
<br><font size=2 face="sans-serif">Section 4.2 of the Session Mgmt. spec
talks about how the OP iframe calculates the session_state to be compared
to that given previously to the RP in the auth code flow. That section
says this:</font><font size=3> <br>
</font><font size=2 face="Verdana"><br>
"The OP iframe MUST recalculate it from the previously obtained Client
ID, the source origin URL (from the postMessage), and the current OP Browser
state. If the received value and the calculated value do not match, then
the OP iframe MUST postMessage the string </font><font size=2 color=#002060 face="Courier New">changed</font><font size=2 face="Verdana">
back to the source. If it matched, then it MUST postMessage the string
</font><font size=2 color=#002060 face="Courier New">unchanged</font><font size=2 face="Verdana">.</font><font size=3>
" <br>
</font><font size=2 face="sans-serif"><br>
...which implies that the OP will have to calculate that value at the authorization
endpoint.</font><font size=3> <br>
</font><font size=2 face="sans-serif"><br>
If I'm understanding this, I'm not getting how the OP can reliably know
what the source origin URL is at the time the session_state is provisioned
and given to the RP.</font><font size=3> <br>
</font><font size=2 face="sans-serif"><br>
Am I missing something? I've included the example from Section 4.2
of the Session Mgmt. spec below.</font><font size=3> <br>
</font><font size=2 face="sans-serif"><br>
-- Todd</font><font size=3> <br>
<br>
<br>
</font><font size=2 face="Courier New"><br>
window.addEventListener("message", receiveMessage, false);<br>
<br>
function receiveMessage(e){ // e has client_id and session_state<br>
<br>
// Validate message origin<br>
client_id = message.split(' ')[0];<br>
session_state = message.split(' ')[1];<br>
var salt = session_state.split('.')[1];<br>
<br>
// get_op_browser_state() is an OP defined function<br>
// that returns the browser's login status at the OP.<br>
// How it is done is entirely up to the OP.<br>
var opbs = get_op_browser_state();<br>
<br>
// Here, the session_state is calculated in this particular way,<br>
// but it is entirely up to the OP how to do it under the<br>
// requirements defined in this specification.<br>
var ss = CryptoJS.SHA256(client_id + ' ' + e.origin + ' ' +<br>
opbs + [' ' + salt]) [+ "." + salt];<br>
<br>
if (e.session_state == ss) {<br>
stat = 'unchanged';<br>
} else {<br>
stat = 'changed';<br>
}<br>
<br>
e.source.postMessage(stat, e.origin);<br>
};</font><font size=3> <br>
</font><font size=2 face="sans-serif"><br>
</font><font size=3><br>
</font>
<table width=223 style="border-collapse:collapse;">
<tr height=8>
<td width=221 bgcolor=white style="border-style:solid;border-color:#000000;border-width:0px 0px 0px 0px;padding:1px 1px;"><font size=1 face="Verdana"><b><br>
<br>
<br>
Todd Lainhart<br>
Rational software<br>
IBM Corporation<br>
550 King Street, Littleton, MA 01460-1250</b></font><font size=1 face="Arial"><b><br>
1-978-899-4705<br>
2-276-4705 (T/L)</b></font><font size=1 color=blue face="Arial"><b><u><br>
</u></b></font><a href=mailto:lainhart@us.ibm.com><font size=1 color=blue face="Arial"><b><u>lainhart@us.ibm.com</u></b></font></a></table>
<br>
<br><font size=3>_______________________________________________<br>
Openid-specs-ab mailing list</font><font size=3 color=blue><u><br>
</u></font><a href="mailto:Openid-specs-ab@lists.openid.net"><font size=3 color=blue><u>Openid-specs-ab@lists.openid.net</u></font></a><font size=3 color=blue><u><br>
</u></font><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"><font size=3 color=blue><u>http://lists.openid.net/mailman/listinfo/openid-specs-ab</u></font></a>
<br>