- edited description
session_state - upon authentication failure?
from: https://openid.net/specs/openid-connect-session-1_0.html#rfc.section.3
When the OP supports session management, it MUST also return the Session State as an additional session_state parameter in the Authentication Response. The OpenID Connect Authentication Response is specified in Section 3.1.2.5 of OpenID Connect Core 1.0.
Section 3.1.2.5 of Core 1.0 is Successful Authentication Response
And yet https://openid.net/specs/openid-connect-session-1_0.html#rfc.section.4.1 at the end of the section says
Note that the session state is origin bound. Session state SHOULD be returned upon an authentication failure.
In the case of an unsuccessful Authentication Request, the value of the session state returned SHOULD vary with each request. However, the browser session state need not change unless a meaningful event happens. In particular, many values of session state can be simultaneously valid, for instance by the introduction of random salt in the session states issued in response to unsuccessful Authentication Requests.
Should session_state
be returned with error responses too? If so
- which ones? all? (server_errors, invalid_request, invalid_client too?) just login_required, interaction_required, account_selection_required, authentication_failed?
- the reference in section 3 should be updated, it points only to successful response
- more details around the expected behaviours please, currently it's scattered around the specification and I would expect section 3 to hold all the normative pieces around the paramater, it's calculation, etc., together
Comments (7)
-
reporter -
We clearly need to update the session state when going from an authenticated to unauthenticated state and vice versa. It's not clear if or how the session state should change when going from one unauthenticated state to another. Comments are solicited!
-
- changed status to open
-
-
assigned issue to
-
assigned issue to
-
-
assigned issue to
Filip to review the issue and propose specific changes.
-
assigned issue to
-
reporter -
- changed status to resolved
Fixed
#1047- session_state - upon authentication failure?→ <<cset 740193de4a04>>
- Log in to comment
realized there are more references to this topic throughout the spec, updated the original description.