OpenID Connect Sessn Mgmt

From IIW

Issue/Topic: OpenID Connect Session Management

Session: Wednesday 1I

Conference: IIW-11 November 2-4, Mountain View, Complete Notes Page

Convener: Breno de Medeiros

Notes-taker(s): Breno de Medeiros

Tags:

OpenID Connect Session Management

Discussion notes:

  • Discussed the authorization flow for OpenIDConnect
  • Discussed the non-crypto authentication mechanism based on UserInfo endpoint
  • Discussed the crypto-based authentication relying on signed JSON tokens
  • Discussed the session management lifecycle by extending the lifetime of tokens or invalidating them

Topics for further discussion:

  • Invalidation and Revalidation of tokens: If and How the Client should signal which session to extend/validate to the Server
  • Validity duration of encapsulated Oauth token for API access to APIs other than the UserInfo endpoint
  • More detail about how specific Oauth authorization profiles (e.g., User Agent vs. WebServer flow) operate
  • Error responses
  • Immediate vs. user-interactive modes