[Openid-specs-ab] session_state calculation

John Bradley ve7jtb at ve7jtb.com
Tue Jan 14 19:57:22 UTC 2014


Breno is probably going to give a better answer.   

The client is communicating via post message to the JS hosted at the IDP. 
In that call the JS origin of the caller is available. 

John B 

Sent from my iPhone

> On Jan 14, 2014, at 12:05 PM, Todd W Lainhart <lainhart at us.ibm.com> wrote:
> 
> Section 4.2 of the Session Mgmt. spec talks about how the OP iframe calculates the session_state to be compared to that given previously to the RP in the auth code flow.  That section says this: 
> 
> "The OP iframe MUST recalculate it from the previously obtained Client ID, the source origin URL (from the postMessage), and the current OP Browser state. If the received value and the calculated value do not match, then the OP iframe MUST postMessage the string changed back to the source. If it matched, then it MUST postMessage the string unchanged. " 
> 
> ...which implies that the OP will have to calculate that value at the authorization endpoint. 
> 
> If I'm understanding this, I'm not getting how the OP can reliably know what the source origin URL is at the time the session_state is provisioned and given to the RP. 
> 
> Am I missing something?  I've included the example from Section 4.2 of the Session Mgmt. spec below. 
> 
>    -- Todd 
> 
> 
> 
>  window.addEventListener("message", receiveMessage, false);
> 
>  function receiveMessage(e){ // e has client_id and session_state
> 
>    // Validate message origin
>    client_id = message.split(' ')[0];
>    session_state = message.split(' ')[1];
>    var salt = session_state.split('.')[1];
> 
>    // get_op_browser_state() is an OP defined function
>    // that returns the browser's login status at the OP.
>    // How it is done is entirely up to the OP.
>    var opbs = get_op_browser_state();
> 
>    // Here, the session_state is calculated in this particular way,
>    // but it is entirely up to the OP how to do it under the
>    // requirements defined in this specification.
>    var ss = CryptoJS.SHA256(client_id + ' ' + e.origin + ' ' +
>      opbs + [' ' + salt]) [+ "." + salt];
> 
>    if (e.session_state == ss) {
>      stat = 'unchanged';
>    } else {
>      stat = 'changed';
>    }
> 
>    e.source.postMessage(stat, e.origin);
>  }; 
> 
> 
> 
> 
> 
> 
> Todd Lainhart
> Rational software
> IBM Corporation
> 550 King Street, Littleton, MA 01460-1250
> 1-978-899-4705
> 2-276-4705 (T/L)
> lainhart at us.ibm.com
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140114/aff3bd15/attachment.html>


More information about the Openid-specs-ab mailing list