OpenID Connect Sessn Mgmt

From IIW
Revision as of 12:34, 7 February 2011 by WikiSysop (talk | contribs) (Undo revision 3084 by Igiwydijok (Talk))

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Issue/Topic: OpenID Connect Session Management

Session: Wednesday 1I

Conference: IIW-11 November 2-4, Mountain View, Complete Notes Page

Convener: Breno de Medeiros

Notes-taker(s): Breno de Medeiros


OpenID Connect Session Management

Discussion notes:

  • Discussed the authorization flow for OpenIDConnect
  • Discussed the non-crypto authentication mechanism based on UserInfo endpoint
  • Discussed the crypto-based authentication relying on signed JSON tokens
  • Discussed the session management lifecycle by extending the lifetime of tokens or invalidating them

Topics for further discussion:

  • Invalidation and Revalidation of tokens: If and How the Client should signal which session to extend/validate to the Server
  • Validity duration of encapsulated Oauth token for API access to APIs other than the UserInfo endpoint
  • More detail about how specific Oauth authorization profiles (e.g., User Agent vs. WebServer flow) operate
  • Error responses
  • Immediate vs. user-interactive modes