OpenID Connect Sessn Mgmt
From IIW
Issue/Topic: OpenID Connect Session Management
Session: Wednesday 1I
Conference: IIW-11 November 2-4, Mountain View, Complete Notes Page
Convener: Breno de Medeiros
Notes-taker(s): Breno de Medeiros
Tags:
OpenID Connect Session Management
Discussion notes:
- Discussed the authorization flow for OpenIDConnect
- Discussed the non-crypto authentication mechanism based on UserInfo endpoint
- Discussed the crypto-based authentication relying on signed JSON tokens
- Discussed the session management lifecycle by extending the lifetime of tokens or invalidating them
Topics for further discussion:
- Invalidation and Revalidation of tokens: If and How the Client should signal which session to extend/validate to the Server
- Validity duration of encapsulated Oauth token for API access to APIs other than the UserInfo endpoint
- More detail about how specific Oauth authorization profiles (e.g., User Agent vs. WebServer flow) operate
- Error responses
- Immediate vs. user-interactive modes