Check Session Iframe OpenIDConnect

Question

I have a situation where I have an RP that does not explicitly require you to be logged into it. However I had a look at the session management specification for Open ID Connect, more specifically the check_session_iframe endpoint specification as drafted here

I was wondering if the following scenario would be possible. I have an RP that uses client x to federate sign on onto my OP. Is it possible such that I can see if the client (x) is signed into the OP even if you do not have the session id (or sid). In otherwords is it possible for an application to see if you have a session with the OP so that you are not forced to prompt a sign on against the OP.

A basic flow that I want to satisfy for UX reasons is

1) go to RP.

2) check to see if RP has session with OP.

3) - If there is a session then auto-login (without initiating flow)

• If there is no session then don't do anything(ie no need to prompt for login).

Is something like this possible? I do understand that it is possible to get session information if you have previously been signed in (by using the given session_state and client_id)

I have looked at the IdentityServer3.Samples, more specifically the client sample that shows how you can check session state here however it seems like this sample shows how it is possible to check session state after doing a log in. I want to know if it is possible to check if the client currently does have a session even before the RP explicitly requests for sign on.

Answer 1

Yes, use prompt=none in the authorization request to the OP, and do it in an iframe. The oidc-client-js library now supports with the querySessionStatus API this as of recent: https://brockallen.com/2016/08/12/check-session-support-in-oidc-client-js/.