[Openid-specs-ab] Feedback on OpenID Connect Session Management
Thomas Broyer
t.broyer at gmail.com
Tue May 31 11:37:47 UTC 2016
On Tue, May 31, 2016 at 12:32 AM John Bradley <ve7jtb at ve7jtb.com> wrote:
> I suppose some other hash could have been used besides S256. It however
> is probably not worth the trouble to make it configurable.
>
It's an implementation detail of the OP, so it doesn't matter whether it's
"configurable" or not.
> I think it was Google that came up with the S256 requirement.
>
It's not a requirement. The requirement is to use a "salted cryptographic
hash".
> Work on that session management spec has largely stalled. Google who
> originally proposed it, built something similar but incompatible.
> I believe Microsoft is the only one to have widely implemented it.
>
I found two OP implementations on GitHub (not talking about Gluu Server,
which is not actually Session Management; and also excluding my own
implementation): https://github.com/anvilresearch/connect/ and
https://github.com/IdentityServer/IdentityServer3/
Both use SHA256, with the same arguments, in the same order (slight
variation is that IdentityServer3 doesn't separate them with spaces). I'm
assuming everyone (including me) did the same: just do the same as the
non-normative example from the spec, not trying (or failing) to understand
the underlying reasons for the SHA256.
And mod_oauth_openidc supports it as an RP.
No idea if that qualifies as "widely implemented" (I suppose you mean
"widely deployed" here?)
> I think they are relatively happy with it in Azure.
>
Would love to hear from them!
Thanks for answering anyway!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160531/28a83801/attachment.html>
More information about the Openid-specs-ab
mailing list