Clone wiki

connect / session management memo

Step 0. RP obtains session_state via any authn response from IdP.

session_state = sha256(client_id + origin + idp_session_state + salt) + "." + salt. 

idp_session_state is either "no_user", "not_authenticated", "authenticated_user".

Step 1. RP loads RP frame

Question: Do we really need to define the function hasChanged()? Does it not suffice to specify what message is being sent to IdP frame via postMessage?

After the frame loads, following function is available

boolean hasChanged(client_id, session_state)

This function postMessage to the IdP frame

win = window.parent.document.getElementById("idp").contentWindow;
win.postMessage(string, targetOrigin);


string = client_id + "." + session_state; 
targetOrigin = scheme + "://" + domain name of the IdP + (":" + port number)

Question: Why not use JSON instead of "." separated text? e.g. is it not the following better?

// msg is to be sent to IdP iFrame via postMessage
var obj = 
var msg = JSON.stringify(obj);

win.postMessage(msg, targetOrigin);

Also, it needs to add Event Listener to receive message from the IdP frame for the type "message".

window.addEventListner("message", receiveMessage, false); 

Function receiveMessage checks if event.origin === targetOrigin. If not, it MUST return error. contains either "unchanged" or "changed". 
If "unchanged", return false. 
Else, return true. 

Step 2. RP load IdP frame

The IdP frame receives postMessage from the RP frame and postMessage back to the RP frame whether the IdP state changed or not.

Since the event listener function MUST check if event.origin === RP URL, the IdP frame need to know who would be calling this frame. This is achieved by calling the frame with client_id.

Thus, IdP frame's URL, the Session Notification Endpoint URL is published in the Provider Configuration file.

The endpoint accepts the following parameters:

  • client_id client_id of the RP. It is used by the IdP to find out the origin URL from the registration data so that it will constrain the postMessage source. contains client_id and session_state.

Cookie has idp_session_state. Origin is event.origin.

Thus session_state can be re-calculated. If received session_state and the calculated session_state is equal, it should do:

   event.source.postMessage('unchanged', event.origin); 


   event.source.postMessage('changed', event.origin); 

Step 3. RP polls the IdP Frame

window.settimeout(checkState, 30000);

function checkState 
   if(hasChanged(client_id, session_state) ) {

function onStateChange
  // --> first attempt to revalidate current session via propt:none authn request including id_token or a user hint for the session.