OpenID Connect Session – Management and Login

From IIW

Session Topic: Open ID Connect Session Management & Log Out

Wednesday 1B

Convener: John B.

Notes-taker(s): Mike Jones

Breno de Medeiros gave a tutorial on the current session management model

Mike Jones let the audience know that the purpose of the session is to refine the contents of the OpenID session management spec:

http://openid.net/specs/openid-connect-session-1_0.html

Issue: Is "ops" a separate parameter?

  • We decided that it should be a separate parameter from the ID Token

Google implementation feedback: RPs are likely to hold on to "ops" as a cookie so we should make sure that it's safe to do so

  • Safe across multiple tabs from same RP
  • Safe for users by respecting cookie same-origin policy

We should add a JavaScript origin to the crypto function that computes the ops