Registration - 2.1 add javascript origin URL for session management

Issue #641 resolved
Edmund Jay created an issue

The session management spec mentions checking the javascript origin for the client making the request but there is no deterministic way to figure the origin URL for clients with multiple registered redirect URLs. One solution is to let the client register which origin URL to use.

Comments (5)

  1. Nat Sakimura

    In the previous call, we decided to have a single entry. Nat was skeptical if it works. Nat asked Edmund to try it out using different RP domains.

  2. Michael Jones

    It would seem logical to allow any of the registered redirect URIs to be used. On the other hand, creating an interface to enable the IdP JavaScript to retrieve the redirect URIs for a client_id seems like it could be complicated. There is also a salt involved. The JavaScript always needs to talk to the origin of its parent iframe.

    This seems like it needs more thought.

  3. Michael Jones

    Google appears to allow multiple values. We could use a space-delimited list. We still need to think about the security considerations and what restictions are appropriate for values (if any).

  4. Michael Jones

    Google appears to allow multiple values. We could use a space-delimited list. We still need to think about the security considerations and what restictions are appropriate for values (if any).

  5. Log in to comment