New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RP iframe Message Should Not Be Created In The Same Way As OP iframe Message #913

Closed
afroDC opened this Issue Sep 26, 2018 · 0 comments

Comments

Projects
None yet
2 participants
@afroDC
Contributor

afroDC commented Sep 26, 2018

Per the spec, the rp is supposed to POST a message to the op that matches this format:

var mes = client_id + " " + session_state;

  function check_session()
  {
    var targetOrigin = "https://server.example.com";
    var win = window.parent.document.getElementById("op").
                contentWindow;
    win.postMessage( mes, targetOrigin);
  }

Which is the client_ID and the session_state sent back to the RP.

However Gluu Server requires that the message (mes) be the same as the method used to create the session_state, which isn't in the spec and is confusing. What's even more confusing is the session_State is just the OP's cookie. Here is how you have to POST a message to Gluu Server's OP iframe from the RP to get this functionality to work:

    // Check User Session Status
    //<![CDATA[
    var rpOrigin = window.location.origin;
    var opOrigin = 'https://example.gluu.org';
    var clientId = '$GLUU_SERVER_CLIENT_ID';
    
    var op_browser_state = getCookieValue('session_state');
    var mes = null;
    var timerId = null;

    function getCookieValue(cookieName) {
        var name = cookieName + "=";
        var cookies = document.cookie.split(';');
        if (!cookies) {
                return null;
        }
        for (var i = 0; i < cookies.length; i++) {
                var cookie = cookies[i].trim();
                if (cookie.indexOf(name) == 0) {
                            return cookie.substring(name.length, cookie.length);
                }
        }
        return null;
    }

    function updateMes() {
        var salt = CryptoJS.lib.WordArray.random(128 / 8);
        mes = clientId + ' ' + CryptoJS.SHA256(clientId + ' ' + rpOrigin + ' ' + op_browser_state + ' ' + salt) + "." + salt;
    }

    function checkSession() {
        var win = window.parent.document.getElementById("iframeOP").contentWindow;
        win.postMessage(mes, opOrigin);
    }

    function setTimer() {
        clearTimer();
        checkSession();
        timerId = setInterval("checkSession()", 3 * 1000);
    }

    function clearTimer() {
        if (timerId) {
            window.clearInterval(timerId);
            timerId = null;
        }
    }

    window.addEventListener("message", receiveMessage, false);

    function receiveMessage(e) {
        if (e.origin !== opOrigin) {
            return;
        }
        console.log("Session State: " + e.data);
        if (e.data == "unchanged") {
            // User is still logged in
        } else {
            // User has logged out
        }
    }
    //]]>

This doesn't match the spec for the RP and is actually the spec for the OP. Sending the RP iframe session status spec of client_id + " " + session_state; will always return a changed, even if the users session is still logged in.

I think we need to adjust how this is checked and more closely adhere to the spec regarding session status management.

@afroDC afroDC added the bug label Sep 26, 2018

@afroDC afroDC added this to the 3.1.5 milestone Sep 26, 2018

qbert2k added a commit that referenced this issue Dec 8, 2018

@qbert2k qbert2k closed this Dec 10, 2018

qbert2k added a commit that referenced this issue Dec 11, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment