[mitreid-connect] How is possible to put into a browser cookie the ID token?

Michael Furman michael_furman at hotmail.com
Sun Aug 28 07:52:33 EDT 2016


Hi Justin,
Thank you!
I have read the Session management specification:

http://openid.net/specs/openid-connect-session-1_0.html
Is your IDP supports the Session management specification?
What is the Session management endpoint?
Is your RP supports the Session management specification?
Best regards,
   Michael


________________________________
From: Justin Richer <jricher at mit.edu>
Sent: Thursday, August 25, 2016 10:11 PM
To: Michael Furman
Cc: mitreid-connect at mit.edu
Subject: Re: [mitreid-connect] How is possible to put into a browser cookie the ID token?

It's a per-application pattern because it's going to be very specific to your platform.

 - Justin

On Aug 25, 2016, at 11:38 AM, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>> wrote:


Thank you for your help!
I want to set the cookie between the RP and the browser.

Your demo application follows the correct pattern (and I want to follow the same pattern):
a)      - Use the ID token to establish the authentication
b)      - Create the application session
c)       - Add the browser cookie (JsessionID)

We want to use your application for our Java client but we have also CPP client and we want to use mod_auth_openidc client
https://github.com/pingidentity/mod_auth_openidc
The question if the pattern above is RP behavior defined in some RFC and therefore all RP will need to implement it or it is the application pattern and therefore I need to implement it in code by myself.
Best regards,
   Michael



________________________________
From: mitreid-connect-bounces at mit.edu<mailto:mitreid-connect-bounces at mit.edu> <mitreid-connect-bounces at mit.edu<mailto:mitreid-connect-bounces at mit.edu>> on behalf of Justin Richer <jricher at mit.edu<mailto:jricher at mit.edu>>
Sent: Thursday, August 25, 2016 5:33 PM
To: mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>
Subject: Re: [mitreid-connect] How is possible to put into a browser cookie the ID token?

Don't do that. The browser cookie needs to be between the RP and the browser, not the IdP and the browser. The demo application follows the correct pattern: use the ID token to establish authentication, then create a session in the application itself.

 -- Justin

On 8/25/2016 10:06 AM, Michael Furman wrote:
Hi all,
I want to put into a browser cookie the ID token after the OpenID Connect implicit flow.
I want to eliminate the redirects to IDP for each requests.
How to do it?
Do we have any RFC that describes how to make RP stateful?

I do know that the demo simple-web-app adds Jsession cookie after the authentication.
My question if we have some RFC and therefore all RP may be stateful.
Thank you in advance for your help.

Best regards,
   Michael




_______________________________________________
mitreid-connect mailing list
mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>
http://mailman.mit.edu/mailman/listinfo/mitreid-connect

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20160828/2b8ae561/attachment-0001.html


More information about the mitreid-connect mailing list