Menu
I am developing OpenID connect session management for an existing IDP. In the specification it has mentioned that we should send session state from RP to OP. I need to know what is really meant by session state here. Also I need to know what should I take as salt value?
363
This session state value is something that is provided by the OP to the RP in the authentication response at the time of the original login. The value is opaque to the RP, it just needs to keep track of it and send it back to the OP in its postMessage calls from the RP iframe to the OP so the OP can correlate it.
As the spec says at http://openid.net/specs/openid-connect-session-1_0.html#CreatingUpdatingSessions :
When the OP supports session management, it MUST also return the Session State as an additional session_state parameter in the Authentication Response. The OpenID Connect Authentication Response is specified in Section 3.1.2.5 of OpenID Connect Core 1.0.
This parameter is:
session_state
Session State. JSON string that represents the End-User's login state at the OP. It MUST NOT contain the space (" ") character. This value is opaque to the RP. This is REQUIRED if session management is supported. The Session State value is initially calculated on the server. The same Session State value is also recalculated by the OP iframe in the browser client. The generation of suitable Session State values is specified in Section 4.2, and is based on a salted cryptographic hash of Client ID, origin URL, and OP browser state. For the origin URL, the server can use the origin URL of the Authentication Response, following the algorithm specified in Section 4 of RFC 6454 [RFC6454].
91
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
