[mitreid-connect] How is possible to put into a browser cookie the ID token?

Justin Richer jricher at mit.edu
Thu Aug 25 15:11:28 EDT 2016 

It’s a per-application pattern because it’s going to be very specific to your platform. 

 — Justin

> On Aug 25, 2016, at 11:38 AM, Michael Furman <michael_furman at hotmail.com> wrote:
> 
> Thank you for your help!
> I want to set the cookie between the RP and the browser.
> 
> Your demo application follows the correct pattern (and I want to follow the same pattern):
> a)      - Use the ID token to establish the authentication
> b)      - Create the application session
> c)       - Add the browser cookie (JsessionID)
>  
> We want to use your application for our Java client but we have also CPP client and we want to use mod_auth_openidc client 
> https://github.com/pingidentity/mod_auth_openidc <https://github.com/pingidentity/mod_auth_openidc>
> The question if the pattern above is RP behavior defined in some RFC and therefore all RP will need to implement it or it is the application pattern and therefore I need to implement it in code by myself.
> Best regards,
>    Michael
> 
> 
> 
> From: mitreid-connect-bounces at mit.edu <mitreid-connect-bounces at mit.edu> on behalf of Justin Richer <jricher at mit.edu>
> Sent: Thursday, August 25, 2016 5:33 PM
> To: mitreid-connect at mit.edu
> Subject: Re: [mitreid-connect] How is possible to put into a browser cookie the ID token?
>  
> Don't do that. The browser cookie needs to be between the RP and the browser, not the IdP and the browser. The demo application follows the correct pattern: use the ID token to establish authentication, then create a session in the application itself.
> 
>  -- Justin
> 
> On 8/25/2016 10:06 AM, Michael Furman wrote:
>> Hi all,
>> I want to put into a browser cookie the ID token after the OpenID Connect implicit flow.
>> I want to eliminate the redirects to IDP for each requests.
>> How to do it?
>> Do we have any RFC that describes how to make RP stateful?
>>  
>> I do know that the demo simple-web-app adds Jsession cookie after the authentication.
>> My question if we have some RFC and therefore all RP may be stateful.
>> Thank you in advance for your help.
>>  
>> Best regards,
>>    Michael
>> 
>> 
>> 
>> _______________________________________________
>> mitreid-connect mailing list
>> mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>
>> http://mailman.mit.edu/mailman/listinfo/mitreid-connect <http://mailman.mit.edu/mailman/listinfo/mitreid-connect>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20160825/ed499162/attachment.html

More information about the mitreid-connect mailing list