[prev in list] [next in list] [prev in thread] [next in thread]
List: wsf-javascript-dev
Subject: Re: [Dev] OpenID Connect based SLO for AS
From: Abilashini Thiyagarajah <abilashini () wso2 ! com>
Date: 2016-11-29 5:45:10
Message-ID: CAA_6R09OV-nbG4Jtjk28SLNaUgDSg_8mhKw1OhA+myRDLEXvNQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi,
As mentioned above when the RP iFrame receive a message as 'changed' from
the OP iFrame, it loads a request with the suffix of 're-authenticate' in
the browser window. The request will be handled by the tomcat valve as a
re-authentication request and a authentication request will be redirected
to the authentication endpoint with the parameter, prompt=none to indicate
the request should be handled without login.
- If the session is valid in the OpenID Provider(OP), the browser will
be redirected back with an authentication response with a new session
state. So the session state will be updated to be used by the RP iFrame to
poll the OP iFrame.
- If the session is not valid, which means the end user has been logged
out from the OP, then the response will be received with an error as
"login_required". So the valve will redirect the user to the welcome page
to start the flow.
This is how the Single Logout has been implemented in the tomcat extension
for OpenID Connect.
Thank you,
Abilashini
On Fri, Nov 4, 2016 at 10:47 AM, Abilashini Thiyagarajah <
abilashini@wso2.com> wrote:
> Hi,
>
> Now I am working on the $subject and I need some clarifications on the
> concept to start the implementation.
>
> -
>
> According to the specification
> <http://openid.net/specs/openid-connect-session-1_0.html#RPiframe> of
> OpenID Session Management, there should be a RP iframe which should be
> written by the web application developer.
>
>
>
> -
>
> The RP iframe should poll the OP iframe repeatedly which will be
> available in the iframe endpoint of OpenID Provider with the client ID to
> get a message according to the session state.
>
>
>
> -
>
> So when the end user logged out from the IDP, the RP iframe of all the
> logged in webapps from the same browser will get the message as "changed".
>
>
>
> -
>
> After receiving this message the RP iframe will send a re-authenticate
> request with ‘prompt = none' to the authorization endpoint of the IDP.
>
>
>
> -
>
> If it does not receive a valid ID Token, then the web app/valve should
> handle this as a logout.
>
>
> Please share your concerns on this.
>
>
> Thank you in advance,
>
> Abilashini
>
>
> --
> T. Abilashini
> Intern
> Software Engineering
> WSO2 Inc. http://wso2.com/
> Phone +94 719248432
>
>
--
T. Abilashini
Intern
Software Engineering
WSO2 Inc. http://wso2.com/
Phone +94 719248432
[Attachment #5 (text/html)]
<div dir="ltr"><div>Hi,</div>As mentioned above when the RP iFrame receive a message \
as 'changed' from the OP iFrame, it loads a request with the suffix of \
'<span style="font-family:"dejavu sans mono""><font \
color="#000000">re-authenticate</font></span>' in the browser window. The request \
will be handled by the tomcat valve as a re-authentication request and a \
authentication request will be redirected to the authentication endpoint with the \
parameter, prompt=none to indicate the request should be handled without \
login.<div><ul><li>If the session is valid in the OpenID Provider(OP), the browser \
will be redirected back with an authentication response with a new session state. So \
the session state will be updated to be used by the RP iFrame to poll the OP iFrame. \
<br></li><li>If the session is not valid, which means the end user has been logged \
out from the OP, then the response will be received with an error as \
"login_required". So the valve will redirect the user to the welcome page \
to start the flow. </li></ul><div>This is how the Single Logout has been implemented \
in the tomcat extension for OpenID Connect.</div></div><div><br></div><div>Thank \
you,</div><div>Abilashini </div></div><div class="gmail_extra"><br><div \
class="gmail_quote">On Fri, Nov 4, 2016 at 10:47 AM, Abilashini Thiyagarajah <span \
dir="ltr"><<a href="mailto:abilashini@wso2.com" \
target="_blank">abilashini@wso2.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><p dir="ltr" \
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt" \
id="m_-6193240161586562561gmail-docs-internal-guid-1262620e-2dc2-190b-bc86-4aff7f0003df"><span \
style="font-size:14.6667px;font-family:arial;color:rgb(0,0,0);background-color:transpa \
rent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline">Hi,</span></p><p \
dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span \
style="font-size:13.3333px;font-family:arial;color:rgb(0,0,0);background-color:transpa \
rent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline">Now \
I am working on the $subject and I need some clarifications on the concept to start \
the implementation. </span></p><ul style="margin-top:0pt;margin-bottom:0pt"><li \
dir="ltr" style="list-style-type:disc;font-size:13.3333px;font-family:arial;color:rgb( \
0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline"><p \
dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span \
style="font-size:13.3333px;font-family:arial;color:rgb(0,0,0);background-color:transpa \
rent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline">According \
to the </span><a href="http://openid.net/specs/openid-connect-session-1_0.html#RPiframe" \
style="text-decoration:none" target="_blank"><span \
style="font-size:13.3333px;font-family:arial;color:rgb(17,85,204);background-color:tra \
nsparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline">specification</span></a><span \
style="font-size:13.3333px;font-family:arial;color:rgb(0,0,0);background-color:transpa \
rent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline"> \
of OpenID Session Management, there should be a RP iframe which should be written by \
the web application developer. </span></p></li></ul><div dir="ltr" \
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><br></div><ul \
style="margin-top:0pt;margin-bottom:0pt"><li dir="ltr" \
style="list-style-type:disc;font-size:13.3333px;font-family:arial;color:rgb(0,0,0);bac \
kground-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline"><p \
dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span \
style="font-size:13.3333px;font-family:arial;color:rgb(0,0,0);background-color:transpa \
rent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline">The \
RP iframe should poll the OP iframe repeatedly which will be available in the iframe \
endpoint of OpenID Provider with the client ID to get a message according to the \
session state. </span></p></li></ul><div dir="ltr" \
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><br></div><ul \
style="margin-top:0pt;margin-bottom:0pt"><li dir="ltr" \
style="list-style-type:disc;font-size:13.3333px;font-family:arial;color:rgb(0,0,0);bac \
kground-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline"><p \
dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span \
style="font-size:13.3333px;font-family:arial;color:rgb(0,0,0);background-color:transpa \
rent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline">So \
when the end user logged out from the IDP, the RP iframe of all the logged in webapps \
from the same browser will get the message as "changed". </span></p></li></ul><div \
dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><br></div><ul \
style="margin-top:0pt;margin-bottom:0pt"><li dir="ltr" \
style="list-style-type:disc;font-size:13.3333px;font-family:arial;color:rgb(0,0,0);bac \
kground-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline"><p \
dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span \
style="font-size:13.3333px;font-family:arial;color:rgb(0,0,0);background-color:transpa \
rent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline">After \
receiving this message the RP iframe will send a re-authenticate request with \
‘prompt = none' to the authorization endpoint of the IDP. </span></p></li></ul><div \
dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><br></div><ul \
style="margin-top:0pt;margin-bottom:0pt"><li dir="ltr" \
style="list-style-type:disc;font-size:13.3333px;font-family:arial;color:rgb(0,0,0);bac \
kground-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline"><p \
dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span \
style="font-size:13.3333px;font-family:arial;color:rgb(0,0,0);background-color:transpa \
rent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline">If \
it does not receive a valid ID Token, then the web app/valve should handle this as a \
logout. </span></p></li></ul><div dir="ltr" \
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><br></div><p dir="ltr" \
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span \
style="font-size:13.3333px;font-family:arial;color:rgb(0,0,0);background-color:transpa \
rent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline">Please \
share your concerns on this. </span></p><p dir="ltr" \
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><br></p><p \
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">Thank you in advance, \
<br></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">Abilashini<span \
class="HOEnZb"><font color="#888888"><br></font></span></p><span class="HOEnZb"><font \
color="#888888"><p dir="ltr" \
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span \
style="font-size:13.3333px;font-family:arial;color:rgb(0,0,0);background-color:transpa \
rent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline"></span></p><br>-- \
<br><div class="m_-6193240161586562561gmail_signature"><div \
dir="ltr"><div><div><div><div>T. Abilashini<br></div>Intern<br></div>Software \
Engineering<br></div>WSO2 Inc. <a href="http://wso2.com/" \
target="_blank">http://wso2.com/</a><br></div>Phone <a href="tel:%2B94%20719248432" \
value="+94719248432" target="_blank">+94 719248432</a><br><div><br></div></div></div> \
</font></span></div> </blockquote></div><br><br clear="all"><div><br></div>-- \
<br><div class="gmail_signature" data-smartmail="gmail_signature"><div \
dir="ltr"><div><div><div><div>T. Abilashini<br></div>Intern<br></div>Software \
Engineering<br></div>WSO2 Inc. <a href="http://wso2.com/" \
target="_blank">http://wso2.com/</a><br></div>Phone +94 \
719248432<br><div><br></div></div></div> </div>
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic