OpenID Connect Session – Management and Login
From IIW
Session Topic: Open ID Connect Session Management & Log Out
Wednesday 1B
Convener: John B.
Notes-taker(s): Mike Jones
Breno de Medeiros gave a tutorial on the current session management model
Mike Jones let the audience know that the purpose of the session is to refine the contents of the OpenID session management spec:
http://openid.net/specs/openid-connect-session-1_0.html
Issue: Is "ops" a separate parameter?
- We decided that it should be a separate parameter from the ID Token
Google implementation feedback: RPs are likely to hold on to "ops" as a cookie so we should make sure that it's safe to do so
- Safe across multiple tabs from same RP
- Safe for users by respecting cookie same-origin policy
We should add a JavaScript origin to the crypto function that computes the ops