Comments (9)
Let's assume to implement this code refactor, which would be the changements, strictly technicals, about the actual approach?
I mean, for example, the first query on the data persistence regards STATE value, what would be the new flow about the reunification approach to follow, to match an existing sid/sub with an ingoing authz request.
that's something that would be defined in a general documentation (fancy drawings or text).
that would be the start point for developers that would implements third-party storage engines.
We're facing a good opportunity to open a road to this
from oidcendpoint.
There are connections between grants, for instance it's useful to know which refresh token was used to issue which access token.
Long time not read this ...
I agree, each token and refresh token must be linked to a session. Wondering about SSO Is there some clue about session reuse (base on cookie...) or It Simply rely to have another auth and another session if bearer wasn't submitted in the request?
from oidcendpoint.
The documentation are starting to come together. Please read https://new-session-management.readthedocs.io/en/latest/
Not sure I really understand your question.
from oidcendpoint.
actually "question at night, shame during the day" and I often find it difficult to understand myself!
Overall my question is outside the scope of oidcendpoint because it strictly refers to the implementation of SSO on the provider side and not in how oidcendpoint manages the session internally.
As soon as I can put my hand to the new session management system I will find the answer with something practical but in fact I already read in the documentation you shared:
"""
Note that we are dealing with a Single Sign On (SSO) context here. If for some reason the OP does not want to support SSO then the session management has to be done a bit differently. In that case each session (user_id, client_id) would have its own authentication even. Not one shared between the sessions.
"""
Well, would be great to manage this behavior in oidcendpoint general configuration if you agree
It would be useful - like so many things in this world, so leave the time it finds - to create a "drawing" of the relationship pattern that makes up the management of the session. If I have a chance, I'll report it on the documentation
from oidcendpoint.
To make an OP support SSO or not support SSO is pretty simple.
To do it per client is not so simple but can probably be done.
from oidcendpoint.
To make an OP support SSO or not support SSO is pretty simple.
To do it per client is not so simple but can probably be done.
Correct me if I'm wrong but generally that's would be done with a second cookie crafted for SameSite avoidance and a sid in it - probably crypted and salted - that would be recognized by OP. The cookie wouldn't expire until the session will be refreshed by tokens
from oidcendpoint.
Sorry, I was thinking more along the lines that and OP supported SSO for some clients but not for others.
How SSO is handled between the RP and the OP, using cookies or ... was not what I was thinking about.
And yes in the session management subsystem cookies with encrypted content (containing the sid) is used to keep SSO going.
from oidcendpoint.
Sorry, I was thinking more along the lines that and OP supported SSO for some clients but not for others.
Hey... That's something really interesting!
I never thought about that, thank you, something new
from oidcendpoint.
Trust me to come up with something you've never thought of before :-) :-)
from oidcendpoint.
Related Issues (20)
- Token endpoint HOT 7
- Token Introspection works only for JWT HOT 2
- Client expiration can not be set to 0
- Problems with Token Introspection HOT 10
- Bug in Token handler info HOT 2
- "none" authentication method broken HOT 2
- logout_all_clients may get no session HOT 2
- Client Registration issue with Bearer Header/Body HOT 9
- Scopes per RP HOT 6
- OAuth 2.0 Token Exchange support HOT 2
- Non-default claims in IDToken HOT 2
- response_info not initialized correctly sometimes HOT 1
- Check if Configuration is valid HOT 6
- Unavailable scopes - behaviour expected HOT 33
- client_id in Access Token aud HOT 1
- Userinfo's parse_request returns dict instead of response object
- PKCE doesn't require code_verifier even if a code_challenge was sent HOT 1
- PKCE issues
- Master/develop branches have diverged HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oidcendpoint.