Wiki
Clone wikiconnect / session management memo
Step 0. RP obtains session_state via any authn response from IdP.
session_state = sha256(client_id + origin + idp_session_state + salt) + "." + salt.
idp_session_state is either "no_user", "not_authenticated", "authenticated_user".
Step 1. RP loads RP frame
Question: Do we really need to define the function hasChanged()? Does it not suffice to specify what message is being sent to IdP frame via postMessage?
After the frame loads, following function is available
boolean hasChanged(client_id, session_state)
This function postMessage to the IdP frame
win = window.parent.document.getElementById("idp").contentWindow;
win.postMessage(string, targetOrigin);
where
string = client_id + "." + session_state;
targetOrigin = scheme + "://" + domain name of the IdP + (":" + port number)
Question: Why not use JSON instead of "." separated text? e.g. is it not the following better?
// msg is to be sent to IdP iFrame via postMessage
var obj =
{
"cliend_id":"client1",
"session_state":"af23b34542fd",
"salt":"fjs"
}
var msg = JSON.stringify(obj);
win.postMessage(msg, targetOrigin);
Also, it needs to add Event Listener to receive message from the IdP frame for the type "message".
window.addEventListner("message", receiveMessage, false);
Function receiveMessage checks if event.origin === targetOrigin. If not, it MUST return error.
event.data contains either "unchanged" or "changed".
If "unchanged", return false.
Else, return true.
Step 2. RP load IdP frame
The IdP frame receives postMessage from the RP frame and postMessage back to the RP frame whether the IdP state changed or not.
Since the event listener function MUST check if event.origin === RP URL, the IdP frame need to know who would be calling this frame. This is achieved by calling the frame with client_id.
Thus, IdP frame's URL, the Session Notification Endpoint URL is published in the Provider Configuration file.
The endpoint accepts the following parameters:
- client_id client_id of the RP. It is used by the IdP to find out the origin URL from the registration data so that it will constrain the postMessage source.
event.data contains client_id and session_state.
Cookie has idp_session_state. Origin is event.origin.
Thus session_state can be re-calculated. If received session_state and the calculated session_state is equal, it should do:
event.source.postMessage('unchanged', event.origin);
Otherwise:
event.source.postMessage('changed', event.origin);
Step 3. RP polls the IdP Frame
window.settimeout(checkState, 30000);
function checkState
{
if(hasChanged(client_id, session_state) ) {
onStateChange();
}
function onStateChange
// --> first attempt to revalidate current session via propt:none authn request including id_token or a user hint for the session.
Updated