Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement OpenID Connect Session Management 1.0 #415

Open
louischan-oursky opened this issue Feb 17, 2020 · 4 comments
Open

Implement OpenID Connect Session Management 1.0 #415

louischan-oursky opened this issue Feb 17, 2020 · 4 comments
Labels
area/User Auth

Comments

@louischan-oursky
Copy link
Contributor

Description

Implement OpenID Connect Session Management 1.0

Investigate a implementation (maybe proprietary) that supports the Facebook Messenger authentication flow.

Blog Post Specification

Blog Post of the Feature Release

Open Questions

Put a list of open questions here before a complete design / specification is decided

Related Issues

  • Server Issues
  • Client Issues
  • Guides Issues
@louischan-oursky louischan-oursky mentioned this issue Feb 17, 2020
Closed
@kiootic
Copy link
Contributor

kiootic commented Feb 17, 2020

Regarding FB messenger: a quick search shows this: https://stackoverflow.com/a/44234694

@louischan-oursky
Copy link
Contributor Author

I guess we will stick with the spec and use iframe and postMessage.

@kiootic
Copy link
Contributor

kiootic commented Feb 17, 2020

I think it's not that simple. The main problem here is showing the authentication status of a user on a page controlled by an OIDC client unauthorized by the user. In this case, we can solve it in these ways:

  • have a way to designate a specific registered OIDC client as first-party client, so that it is treated implicitly authorized by all users (and the OIDC session management API can be used); or
  • provide a page to be embedded as iframe in the OIDC client page, displaying the authentication status message and link to authentication flow entry.

@louischan-oursky
Copy link
Contributor Author

The main problem here is showing the authentication status of a user on a page controlled by an OIDC client unauthorized by the user. In this case, we can solve it in these ways

I got what you meant. However, the spec has an assumption that the RP page has ID token so it assumes that the user has already authorized the RP. Your scenario assumes the user has not yet authorized the RP so the spec simply does not apply.

have a way to designate a specific registered OIDC client as first-party client, so that it is treated implicitly authorized by all users (and the OIDC session management API can be used)

Maybe the way to go.

provide a page to be embedded as iframe in the OIDC client page, displaying the authentication status message and link to authentication flow entry.

I thought of this too, but it is impossible because we enforce PKCE so the flow must be triggered by the client.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/User Auth
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@chpapa @kiootic @louischan-oursky