Need clarity on session state variable

Comments (8)

1. 

   Michael Jones

   This was assigned to you, Justin. Do you have any take on it?

   • 2015-07-25T03:18:18+00:00
2. 

   Michael Jones

   • changed milestone to Implementer's Draft

   • 2015-07-25T03:22:10+00:00
3. 

   Justin Richer

   I have no idea why this was assigned to me.

   • 2015-07-26T13:37:08+00:00
4. 

   Michael Jones

   • assigned issue to
     
     John Bradley

   Assigned to John for him to possibly provide rationale.

   • 2015-07-27T23:28:49+00:00
5. 

   Michael Jones

   I believe that this issue pertains to this computation

   var ss = CryptoJS.SHA256(client_id + ' ' + e.origin + ' ' + opbs + ' ' + salt) + "." + salt;

   which is at http://openid.bitbucket.org/openid-connect-session-1_0.html#OPiframe

   • 2015-07-28T00:31:57+00:00
6. 

   John Bradley

   I recall that it something to do with multiple clients using the same origin in a multi tenant deployment. Breno or Naveen are more likely to remember.

   • 2015-11-16T23:32:21+00:00
7. 

   Michael Jones

   Breno de Medeiros explained it to me this way:

   "It is motivated by a privacy consideration. The assumption here is that multiple clients might be registered in the same UI (e.g., embedded widgets from different parties) and that there's an expectation not to share identifiers across apps that are not controlled by existing privacy settings."

   • 2017-01-25T20:29:44+00:00
8. 

   Michael Jones

   • changed status to resolved

   This was addressed in commit https://bitbucket.org/openid/connect/commits/d0a8cea5aaae529831799393fc01fd5d6a31dcdf

   • 2017-01-26T01:58:10+00:00
9. Log in to comment