[Openid-specs-ab] Shared sessions and OpenID Connect
gffletch at aol.com
Fri Jun 19 14:24:45 UTC 2015
Had some thoughts around how a given company might leverage OpenId
Connect as the Authentication and SSO protocol within (and across)
domains and still support a shared session concept. I know the Session
Management spec leverages hidden iframes to check the session in the
browser but I was thinking about something that would enable the given
sites to set a session cookie like is already used in many cases today.
First question is whether this something worth standardizing or valuable
to others? Second question is, what are the downsides of either of the
* add a new response_type called shared_session
* if shared_session is part of the response type request, then in
addition to the id_token, access_token, and refresh_token returned when
exchanging the code value, a shared session value would be returned that
the site could use to write into a session cookie on their site.
* the value of this shared session cookie could be validated at the
OpenID Connect provider to determine if the session is still valid
* define a scope of "shared_session"
* define a special refresh_token flow where if the only scope requested
in the refresh_token request, would return a value that could be used as
the session cookie in the browser
-- this is similar to what ACDC is doing with the acdc scope
I believe either of these approaches will work... however, option 2
requires the site to do two API calls where as option 1 only requires 1
Hopefully that all makes sense:)
Any usefulness here?
More information about the Openid-specs-ab