[Openid-specs-ab] Issue #1047: session_state - upon authentication failure? (openid/connect)

Brock Allen brockallen at gmail.com
Sat Aug 25 12:31:35 UTC 2018 

Currently IdentityServer does not support this, but I did receive a request to return session_state on error given that wording in the sepc.

The use case of this customer was they were building a JS/SPA app and used prompt=none. They expected a session_state even on an error of login_required, meaning for an anonymous user. They were going to use the session_state at the check_session_iframe to monitor when the user went from anonymous to authenticated. 

So to me that's an ancillary question -- is session_state expected to be returned for an anonymous user, which would be for an error response (of login_required)? If so, the the customer's requirements could be satisfied. But on the other hand, that's a bit of a burden on the OP to assign a sid to an anonymous user before they have authenticated. It's possible, but it's just not an obvious thing to do, IMO.

Any thoughts on this? And sorry of this hijacks your thread, Filip.


-Brock

On 8/25/2018 5:43:28 AM, Filip Skokan via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
New issue 1047: session_state - upon authentication failure?
https://bitbucket.org/openid/connect/issues/1047/session_state-upon-authentication-failure

Filip Skokan:

from: https://openid.net/specs/openid-connect-session-1_0.html#rfc.section.3

> When the OP supports session management, it MUST also return the Session State as an additional session_state parameter in the Authentication Response. The OpenID Connect Authentication Response is specified in Section 3.1.2.5 of OpenID Connect Core 1.0.

Section 3.1.2.5 of Core 1.0 is `Successful Authentication Response`

And yet https://openid.net/specs/openid-connect-session-1_0.html#rfc.section.4.1 at the end of the section says

> Note that the session state is origin bound. **Session state SHOULD be returned upon an authentication failure.**

Should `session_state` be returned with error responses too?


_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180825/26e03e8a/attachment.html>

More information about the Openid-specs-ab mailing list