Need clarity on session state variable
Is there any specific purpose for including client-id in session_state variable generation?
Comments (8)
-
-
- changed milestone to Implementer's Draft
-
I have no idea why this was assigned to me.
-
-
assigned issue to
Assigned to John for him to possibly provide rationale.
-
assigned issue to
-
I believe that this issue pertains to this computation
var ss = CryptoJS.SHA256(client_id + ' ' + e.origin + ' ' + opbs + ' ' + salt) + "." + salt;
which is at http://openid.bitbucket.org/openid-connect-session-1_0.html#OPiframe
-
I recall that it something to do with multiple clients using the same origin in a multi tenant deployment. Breno or Naveen are more likely to remember.
-
Breno de Medeiros explained it to me this way:
"It is motivated by a privacy consideration. The assumption here is that multiple clients might be registered in the same UI (e.g., embedded widgets from different parties) and that there's an expectation not to share identifiers across apps that are not controlled by existing privacy settings."
-
- changed status to resolved
This was addressed in commit https://bitbucket.org/openid/connect/commits/d0a8cea5aaae529831799393fc01fd5d6a31dcdf
- Log in to comment
This was assigned to you, Justin. Do you have any take on it?