session 4.1. Opbs is unclear and conflict with "session management memo" on wiki

Issue #872 resolved
Former user created an issue

Regarding to the spec on openid-connect-session-1_0-15.html, The session_state = CryptoJS.SHA256(client_id + ' ' + e.origin + ' ' + opbs + [' ' + salt]) [+ "." + salt] where opbs is browser state. Besides, opbs' type is unclear, I am not sure if it is a random string or not.

Ortherwise, regarding to the "session management memo" on, the session_state = sha256(client_id + origin + idp_session_state + salt) + "." + salt. where obps above is replaced with "idp_session_state" and its value is defined as 1 of 3 values only.

Could you please make it clear?

Comments (5)

  1. Nat Sakimura

    The wiki page is just a memo before jotting down the spec., so do not rely on it. The opbs is a blob that stores the state of the browser at the OP. This specification does not define how to. It is up to the OP implementation. What this specification specifies is the request and response to the postMessage.

    The code example in the spec is there just to depict what an OP may have to do to implement the feature. As it is clearly stated, it is a non-normative example.

  2. Nat Sakimura
    • changed status to open

    Did not even needed to follow up with Breno. My intention here is clear. The example is non-normative and is just illustrating what an OP might do to fulfill what the spec. normatively requires. If it is causing more confusion than explaining it, we may want to drop the example and just go with the normative text.

  3. Former user Account Deleted

    Thank you for your explanation, I think it is clearer if we can add an example on the specification.

  4. Log in to comment