[Openid-specs-ab] Issue #1038: RP frame / parent frame communication cross-origin (openid/connect)

[Filip Skokan]

New issue 1038: RP frame / parent frame communication cross-origin
https://bitbucket.org/openid/connect/issues/1038/rp-frame-parent-frame-communication-cross

Filip Skokan:

I think it would be useful for client implementers to have the following hint in the Session Management 1.0 specification section 4.1 (RP iframe).

> Note that in deployments with multiple subdomains sharing the same RP session it is important that the parent window and RP iframe both set the same `document.domain` to get around same-origin restrictions. This will allow the RP iframe to target the parent window's embedded OP iframe.

example:

> actors:
> 
> `idp.com` - is the identity provider, offers session management and has an OP frame, uses the redirect_uri Origin to form the session_state  
> `www.rp.com` - is the main client content page that wishes to have users logged in  
> `account.rp.com` - is the client that communicates with `idp.com`, the redirect_uri used is from this domain  
> 
> flow:
> 
> 1) user clicks login on `www.rp.com`  
> 2) `www.rp.com` uses `account.rp.com` to trigger oidc authentication flow  
> 3) user logs in at `idp.com`, idp redirects back to `account.rp.com`  
> 4) `account.rp.com` finishes the auth flow and when finished the second level domain gets a global session set by `account.rp.com` so that `www.rp.com` knows there is a user logged in  
> 5) user gets redirected back to the content at `www.rp.com`  
> 6) `www.rp.com` embeds the OP iframe  
> 7) `www.rp.com` sets `document.domain = 'rp.com';`  
> 8) `www.rp.com` embeds the RP iframe from `account.rp.com` that has the session state  
> 9) the RP frame also sets `document.domain = 'rp.com';`  
>   
> The RP iframe targets the embedded OP iframe now without issues and sends messages with the expected Origin and is able to notify the parent window (`www.rp.com`) about any changes or errors.