Menu
I'm currently working on a project related with OpenID Connect Back-channel logout. I need to include sid as a claim in the logout token as mentioned in the specification.
sid- OPTIONAL. Session ID - String identifier for a Session. This represents a Session of a User Agent or device for a logged-in End-User at an RP. Different sid values are used to identify distinct sessions at an OP. The sid value need only be unique in the context of a particular issuer. Its contents are opaque to the RP. Its syntax is the same as an OAuth 2.0 Client Identifier.
From the explanation for sid, I have some confusions whether it tells about the session-id of the end-user at RP or about the session-id of the RP at OP.
Thanks in advance.
468
OpenID Connect Backchannel logout is a mechanism by which Relying Party (RP) applications are logged out with logout requests communicated directly between RPs and OpenID Providers (OP) bypassing the User Agent.
OpenID Connect (OIDC) scopes are used by an application during authentication to authorize access to a user's details, like name and picture. Each scope returns a set of user attributes, which are called claims. The scopes an application should request depend on which user attributes the application needs.
sid is the session id, which is fixed for the lifetime of the renewal token. role is the list of roles assigned to the user. Used in authorization to determine which areas of the site the user can access. iss is the portal alias of the site that issued the token. exp is the expiration time of the access token.
OpenID Connect OIDC Front-Channel Logout 1.0 This specification defines a logout mechanism that uses front-channel communication via the User Agent between the IdP and RPs being logged out. The IdP renders all RPs iFrame that previously registered frontchannel_logout_uri endpoint in the client registration process.
SID = unique identifier of session of end user on a particular device/user agent, etc. Suppose that I logged-in from android phone in game app and game app uses openID and authenticates with either Facebook or Google. Game app launches the user agent and connects to OpenID provider. Here authentication happens and app gets the ID token (which contains the SID). Game app requests the User claims from OpenID provider and then creates a session on the device but sends the user information to create the session on game app server(RP here) as well.
Now suppose I logged into another app on same phone or different phone and did exactly the same thing. I am now logged into two different apps which has their own sessions but I will be having two session at OP. How will OP distinguish which session to kill. If no SID is there, it will kill all sessions and SID is there, only that session can be killed.
This is the simplest explanation I can give. Everything else is just how this is achieved.
139
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
