Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
RP iframe Message Should Not Be Created In The Same Way As OP iframe Message #913
Per the spec, the rp is supposed to POST a message to the op that matches this format:
Which is the client_ID and the session_state sent back to the RP.
However Gluu Server requires that the message (mes) be the same as the method used to create the session_state, which isn't in the spec and is confusing. What's even more confusing is the session_State is just the OP's cookie. Here is how you have to POST a message to Gluu Server's OP iframe from the RP to get this functionality to work:
This doesn't match the spec for the RP and is actually the spec for the OP. Sending the RP iframe session status spec of
I think we need to adjust how this is checked and more closely adhere to the spec regarding session status management.