[Openid-specs-ab] Session Management - 4.1. OP iframe sample

Mike Jones Michael.Jones at microsoft.com
Sun Jan 27 22:45:51 UTC 2013 

Thanks for the response, Breno.  Could you please read the current draft at http://openid.net/specs/openid-connect-session-1_0.html and let us know whether you think any changes need to be made before we issue the Implementer's Drafts?  We will probably decide whether we're ready to do that at the 3pm call tomorrow (Monday).

				Thanks again,
				-- Mike

-----Original Message-----
From: Breno de Medeiros [mailto:breno at google.com] 
Sent: Sunday, January 27, 2013 12:55 PM
To: Mike Jones
Cc: Naveen Agarwal; Ryo Ito; openid-specs-ab at lists.openid.net; Tim Bray
Subject: Re: [Openid-specs-ab] Session Management - 4.1. OP iframe sample

No, we don't agree with the following proposal.

- It exposes a global identifier for the user to the party (browser state), when session management is also made available (w/ salt) in cases where user has not approved the application. In particular, it exposes a cross-domain identifier, in violation of browser policies on 3rd party cookies.

- It exposes a global identifier for the user to the party (browser state), even if session management is used in combination w/ possible extensions of OpenIDConnect that specify different semantics of identifier scope.

The proposal we put forward creates a session state that is specific to the client_id and is the origin of the site. We would like to extend this to allow a site to specify a cookie policy so that the session_state can apply more broadly, for instance, so that www.google.com and plus.google.com can see the same session state (today, to accomplish that, you can use cookies scoped to .google.com). But we certainly don't think it's a feature to have the session state identify the user (even if not a persistent identifier) to www.google.com and www.microsoft.com, in particular in the absence of explicit user approval.

On Sat, Jan 26, 2013 at 9:51 AM, Mike Jones <Michael.Jones at microsoft.com> wrote:
> Breno and Naveen, do you agree with the code below?
>
> -- Mike
>
> ________________________________
> From: Ryo Ito
> Sent: 1/26/2013 7:43 AM
> To: openid-specs-ab at lists.openid.net
> Subject: [Openid-specs-ab] Session Management - 4.1. OP iframe sample
>
> OP iframe sample still includes the unnecessary descriptions such as 
> salt or the SHA256 hash.
> The developer may confuse.
>
> My suggestion of OP iframe samples:
> ===
> window.addEventListener("message", receiveMessage, false);
>
>   function receiveMessage(e){ // e has client_id and session_state
>
>     var stat;
>     // Validate message origin
>     client_id = e.data.split(' ')[0];
>     if(!validate_client_origin(client_id, e.origin);){
>       return;
>     }
>
>     session_state = message.split(' ')[1];
>     browser_session_state = get_browser_session_state();
>     if (session_state == browser_session_state) {
>       stat = 'unchanged';
>     } else {
>       stat = 'changed';
>     }
>
>     e.source.postMessage(stat, e.origin);
>
>     function validate_client_origin(client_id, origin)
>     {
>       // origin validation
>       return true; // or false
>     }
>
>     function get_browser_session_state(client_id, origin)
>     {
>       // return "session state from cookie or HTML strage"
>     }
>   };
> ===
>
> Ryo.
>
> --
> ====================
> Ryo Ito
> Email : ritou.06 at gmail.com
> ====================
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab



--
--Breno

More information about the Openid-specs-ab mailing list