[Openid-specs-ab] Shared sessions and OpenID Connect

George Fletcher gffletch at aol.com
Fri Jun 19 14:24:45 UTC 2015

Had some thoughts around how a given company might leverage OpenId 
Connect as the Authentication and SSO protocol within (and across) 
domains and still support a shared session concept. I know the Session 
Management spec leverages hidden iframes to check the session in the 
browser but I was thinking about something that would enable the given 
sites to set a session cookie like is already used in many cases today.

First question is whether this something worth standardizing or valuable 
to others? Second question is, what are the downsides of either of the 
following options?

Option 1:
* add a new response_type called shared_session
* if shared_session is part of the response type request, then in 
addition to the id_token, access_token, and refresh_token returned when 
exchanging the code value, a shared session value would be returned that 
the site could use to write into a session cookie on their site.
* the value of this shared session cookie could be validated at the 
OpenID Connect provider to determine if the session is still valid

Option 2:
* define a scope of "shared_session"
* define a special refresh_token flow where if the only scope requested 
in the refresh_token request, would return a value that could be used as 
the session cookie in the browser
   -- this is similar to what ACDC is doing with the acdc scope

I believe either of these approaches will work... however, option 2 
requires the site to do two API calls where as option 1 only requires 1 
API call.

Hopefully that all makes sense:)

Any usefulness here?


More information about the Openid-specs-ab mailing list