-
assigned issue to
- edited description
Registration - 2.1 add javascript origin URL for session management
The session management spec mentions checking the javascript origin for the client making the request but there is no deterministic way to figure the origin URL for clients with multiple registered redirect URLs. One solution is to let the client register which origin URL to use.
Comments (5)
-
-
It would seem logical to allow any of the registered redirect URIs to be used. On the other hand, creating an interface to enable the IdP JavaScript to retrieve the redirect URIs for a client_id seems like it could be complicated. There is also a salt involved. The JavaScript always needs to talk to the origin of its parent iframe.
This seems like it needs more thought.
-
Google appears to allow multiple values. We could use a space-delimited list. We still need to think about the security considerations and what restictions are appropriate for values (if any).
-
Google appears to allow multiple values. We could use a space-delimited list. We still need to think about the security considerations and what restictions are appropriate for values (if any).
-
reporter - changed status to resolved
fixes
#641: Registration - 2.1 add javascript origin URL for session management - Log in to comment
In the previous call, we decided to have a single entry. Nat was skeptical if it works. Nat asked Edmund to try it out using different RP domains.