Skip to content
This repository has been archived by the owner on Sep 18, 2021. It is now read-only.

Implement Session Management Spec #30

Closed
leastprivilege opened this issue Apr 9, 2014 · 10 comments
Closed

Implement Session Management Spec #30

leastprivilege opened this issue Apr 9, 2014 · 10 comments
Assignees
@brockallen
Labels
todo - needs label and milestone
Milestone
RC

Comments

@leastprivilege
Copy link
Member

No description provided.

@leastprivilege leastprivilege added this to the Beta 1 milestone Apr 9, 2014
@leastprivilege leastprivilege modified the milestones: RC, Beta 1 May 25, 2014
@leastprivilege
Copy link
Member Author

OIDC board is unsure right now what the right approach is - we will postpone that feature.

@whymarrh
Copy link

Is there any update on this? I understand that the spec is still a draft, but I think this is required for functionally implementing the implicit flow in a SPA.

@leastprivilege
Copy link
Member Author

We will implement that at some point - but it does not have a high priority.

The spec is actively discussed in the working group right now - expect changes.

@whymarrh
Copy link

Interesting, am I correct in understanding that without the check_session_iframe the only way for a session to end, once a user has been authenticated, is for the ID token to expire?

Does this not prevent use of the implicit flow?

@leastprivilege
Copy link
Member Author

No - the id token is just the outcome of the authentication process - it is not used to establish a session. The client itself is responsible for creating a session of some sorts.

@whymarrh
Copy link

I guess I just mean that without support for the Session Management Spec, specifically check_session_iframe, a RP is left with 2 options:

  1. Wait for the ID token to expire
  2. Ping the OP for authentication with prompt set to none and interpret an error as the user being logged out

I think the first of which is impractical, but I guess option 2 works.

@leastprivilege
Copy link
Member Author

Expect id tokens to be really short lived in practice - we are defaulting to 5 minutes IIRC.

  1. is mimicking the session management spec - so yes. That said - we will implement the spec - it is just not done yet.

@brockallen brockallen modified the milestones: Post RTM, RC Sep 9, 2014
@ciaranj
Copy link
Contributor

ciaranj commented Oct 14, 2014

@leastprivilege Now we have the RP initiated logout capability (http://leastprivilege.com/2014/10/14/identityserver-v3-and-post-logout-redirect/) [thank you] that requires the identity token to be maintained by the client in order to pass it back to the OP, are we expecting to have long lived id tokens now, or is 'exp' aspect of validating the token ignored for the logout?

@leastprivilege
Copy link
Member Author

Expiration is ignored.

On 14.10.2014, at 21:40, "Ciaran Jessup" <notifications@github.commailto:notifications@github.com> wrote:

Now we have the RP initiated logout capability (http://leastprivilege.com/2014/10/14/identityserver-v3-and-post-logout-redirect/) [thank you] that requires the identity token to be maintained by the client in order to pass it back to the OP, are we expecting to have long lived id tokens now, or is 'exp' aspect of validating the token ignored for the logout?

Reply to this email directly or view it on GitHubhttps://github.com//issues/30#issuecomment-59103815.

@leastprivilege leastprivilege modified the milestones: RC, Post RTM Nov 22, 2014
@leastprivilege
Copy link
Member Author

OK - session ID and check_session_iframe is implemented on dev

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@brockallen brockallen

Labels
todo - needs label and milestone
Projects
None yet
Milestone
RC
Development

No branches or pull requests
4 participants
@ciaranj @brockallen @leastprivilege @whymarrh