openid / connect / issues / #641 - Registration - 2.1 add javascript origin URL for session management

Issue #641 resolved

Edmund Jay created an issue 2012-08-08

The session management spec mentions checking the javascript origin for the client making the request but there is no deterministic way to figure the origin URL for clients with multiple registered redirect URLs. One solution is to let the client register which origin URL to use.

Comments (5)

Nat Sakimura
- assigned issue to
  
  Edmund Jay
- edited description
In the previous call, we decided to have a single entry. Nat was skeptical if it works. Nat asked Edmund to try it out using different RP domains.
- 2012-08-09T14:35:05+00:00
Michael Jones
It would seem logical to allow any of the registered redirect URIs to be used. On the other hand, creating an interface to enable the IdP JavaScript to retrieve the redirect URIs for a client_id seems like it could be complicated. There is also a salt involved. The JavaScript always needs to talk to the origin of its parent iframe.

This seems like it needs more thought.
- 2012-09-10T23:52:47+00:00
Michael Jones
Google appears to allow multiple values. We could use a space-delimited list. We still need to think about the security considerations and what restictions are appropriate for values (if any).
- 2012-10-01T23:33:52+00:00
Michael Jones
Google appears to allow multiple values. We could use a space-delimited list. We still need to think about the security considerations and what restictions are appropriate for values (if any).
- 2012-10-01T23:33:52+00:00
Edmund Jay reporter
- changed status to resolved
fixes ~~#641~~: Registration - 2.1 add javascript origin URL for session management

→ 74afce9bdddb
- 2012-10-02T18:33:34+00:00
Log in to comment

Assignee: Edmund Jay

Type: bug

Priority: major

Status: resolved

Component: –

Milestone: –

Version: –

Votes: 0

Watchers: 0