add RP frame / parent window communication cross-origin note

I think it would be useful for client implementers to have the following hint in the Session Management 1.0 specification section 4.1 (RP iframe).

Note that in deployments with multiple subdomains sharing the same RP session it is important that the parent window and RP iframe both set the same document.domain to get around same-origin restrictions. This will allow the RP iframe to target the parent window's embedded OP iframe.

example:

actors:

idp.com - is the identity provider, offers session management and has an OP frame, uses the redirect_uri Origin to form the session_state
www.rp.com - is the main client content page that wishes to have users logged in
account.rp.com - is the client that communicates with idp.com, the redirect_uri used is from this domain

flow:

1) user clicks login on www.rp.com
2) www.rp.com uses account.rp.com to trigger oidc authentication flow
3) user logs in at idp.com, idp redirects back to account.rp.com
4) account.rp.com finishes the auth flow and when finished the second level domain gets a global session set by account.rp.com so that www.rp.com knows there is a user logged in
5) user gets redirected back to the content at www.rp.com
6) www.rp.com embeds the OP iframe
7) www.rp.com sets document.domain = 'rp.com';
8) www.rp.com embeds the RP iframe from account.rp.com that has the session state
9) the RP frame also sets document.domain = 'rp.com';

The RP iframe targets the embedded OP iframe now without issues and sends messages with the expected Origin and is able to notify the parent window (www.rp.com) about any changes or errors.

Comments (5)