[Openid-specs-ab] Session Management - 4.1. OP iframe sample

Breno de Medeiros breno at google.com
Sun Jan 27 20:54:59 UTC 2013 

No, we don't agree with the following proposal.

- It exposes a global identifier for the user to the party (browser
state), when session management is also made available (w/ salt) in
cases where user has not approved the application. In particular, it
exposes a cross-domain identifier, in violation of browser policies on
3rd party cookies.

- It exposes a global identifier for the user to the party (browser
state), even if session management is used in combination w/ possible
extensions of OpenIDConnect that specify different semantics of
identifier scope.

The proposal we put forward creates a session state that is specific
to the client_id and is the origin of the site. We would like to
extend this to allow a site to specify a cookie policy so that the
session_state can apply more broadly, for instance, so that
www.google.com and plus.google.com can see the same session state
(today, to accomplish that, you can use cookies scoped to
.google.com). But we certainly don't think it's a feature to have the
session state identify the user (even if not a persistent identifier)
to www.google.com and www.microsoft.com, in particular in the absence
of explicit user approval.

On Sat, Jan 26, 2013 at 9:51 AM, Mike Jones <Michael.Jones at microsoft.com> wrote:
> Breno and Naveen, do you agree with the code below?
>
> -- Mike
>
> ________________________________
> From: Ryo Ito
> Sent: 1/26/2013 7:43 AM
> To: openid-specs-ab at lists.openid.net
> Subject: [Openid-specs-ab] Session Management - 4.1. OP iframe sample
>
> OP iframe sample still includes the unnecessary descriptions such as
> salt or the SHA256 hash.
> The developer may confuse.
>
> My suggestion of OP iframe samples:
> ===
> window.addEventListener("message", receiveMessage, false);
>
>   function receiveMessage(e){ // e has client_id and session_state
>
>     var stat;
>     // Validate message origin
>     client_id = e.data.split(' ')[0];
>     if(!validate_client_origin(client_id, e.origin);){
>       return;
>     }
>
>     session_state = message.split(' ')[1];
>     browser_session_state = get_browser_session_state();
>     if (session_state == browser_session_state) {
>       stat = 'unchanged';
>     } else {
>       stat = 'changed';
>     }
>
>     e.source.postMessage(stat, e.origin);
>
>     function validate_client_origin(client_id, origin)
>     {
>       // origin validation
>       return true; // or false
>     }
>
>     function get_browser_session_state(client_id, origin)
>     {
>       // return "session state from cookie or HTML strage"
>     }
>   };
> ===
>
> Ryo.
>
> --
> ====================
> Ryo Ito
> Email : ritou.06 at gmail.com
> ====================
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab



-- 
--Breno

More information about the Openid-specs-ab mailing list