- changed milestone to Final
-
assigned issue to
Nat Sakimura
session 4.1. Opbs is unclear and conflict with "session management memo" on wiki
Issue #872
resolved
Regarding to the spec on openid-connect-session-1_0-15.html, The session_state = CryptoJS.SHA256(client_id + ' ' + e.origin + ' ' + opbs + [' ' + salt]) [+ "." + salt] where opbs is browser state. Besides, opbs' type is unclear, I am not sure if it is a random string or not.
Ortherwise, regarding to the "session management memo" on https://bitbucket.org/openid/connect/wiki/session%20management%20memo, the session_state = sha256(client_id + origin + idp_session_state + salt) + "." + salt. where obps above is replaced with "idp_session_state" and its value is defined as 1 of 3 values only.
Could you please make it clear?
Comments (5)
-
-
The wiki page is just a memo before jotting down the spec., so do not rely on it. The opbs is a blob that stores the state of the browser at the OP. This specification does not define how to. It is up to the OP implementation. What this specification specifies is the request and response to the postMessage.
The code example in the spec is there just to depict what an OP may have to do to implement the feature. As it is clearly stated, it is a non-normative example.
-
- changed status to open
Did not even needed to follow up with Breno. My intention here is clear. The example is non-normative and is just illustrating what an OP might do to fulfill what the spec. normatively requires. If it is causing more confusion than explaining it, we may want to drop the example and just go with the normative text.
-
Account Deleted
Thank you for your explanation, I think it is clearer if we can add an example on the specification.
-
- changed status to resolved
Fixed
#872- Session 4.1. Opbs is unclear and conflicts with "session management memo" on wiki→ <<cset ef62610227b6>>
- Log in to comment
Nat to follow up with Breno on this.