<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">It’s a per-application pattern because it’s going to be very specific to your platform. <div class=""><br class=""></div><div class=""> — Justin</div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Aug 25, 2016, at 11:38 AM, Michael Furman <<a href="mailto:michael_furman@hotmail.com" class="">michael_furman@hotmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div id="divtagdefaultwrapper" style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; font-size: 12pt; background-color: rgb(255, 255, 255); font-family: Calibri, Arial, Helvetica, sans-serif;" class=""><p style="margin-top: 0px; margin-bottom: 0px;" class=""></p><div class=""><div style="margin-top: 0px; margin-bottom: 0px;" class="">Thank you for your help!</div><div style="margin-top: 0px; margin-bottom: 0px;" class="">I want to set the cookie between the RP and the browser.<br class=""><br class=""></div><div style="margin-top: 0px; margin-bottom: 0px;" class="">Your demo application follows the correct pattern (and I want to follow the same pattern):</div><div style="margin-top: 0px; margin-bottom: 0px; text-indent: -0.25in;" class=""><span class=""><span class="">a)<span style="font-style: normal; font-variant-caps: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman';" class=""> <span class="Apple-converted-space"> </span></span></span></span><span dir="LTR" class=""></span>- Use the ID token to establish the authentication</div><div style="margin-top: 0px; margin-bottom: 0px; text-indent: -0.25in;" class=""><span class=""><span class="">b)<span style="font-style: normal; font-variant-caps: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman';" class=""> <span class="Apple-converted-space"> </span></span></span></span><span dir="LTR" class=""></span>- Create the application session</div><div style="margin-top: 0px; margin-bottom: 0px; text-indent: -0.25in;" class=""><span class=""><span class="">c)<span style="font-style: normal; font-variant-caps: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman';" class=""> <span class="Apple-converted-space"> </span></span></span></span><span dir="LTR" class=""></span>- Add the browser cookie (JsessionID)</div><p class="MsoNormal" style="margin-top: 0px; margin-bottom: 0px;"> </p><div style="margin-top: 0px; margin-bottom: 0px;" class="">We want to use your application for our Java client but we have also CPP client and we want to use mod_auth_openidc client<span class="Apple-converted-space"> </span><br class=""><a id="LPlnk900372" href="https://github.com/pingidentity/mod_auth_openidc" class="">https://github.com/pingidentity/mod_auth_openidc</a></div><div style="margin-top: 0px; margin-bottom: 0px;" class="">The question if the pattern above is RP behavior defined in some RFC and therefore all RP will need to implement it or it is the application pattern and therefore I need to implement it in code by myself.</div><div style="margin-top: 0px; margin-bottom: 0px;" class="">Best regards,</div><div style="margin-top: 0px; margin-bottom: 0px;" class=""><span class=""> <span class="Apple-converted-space"> </span></span>Michael</div></div><br class=""><p style="margin-top: 0px; margin-bottom: 0px;" class=""></p><br class=""><br class=""><div style="" class=""><hr tabindex="-1" style="display: inline-block; width: 1716.953125px;" class=""><div id="divRplyFwdMsg" dir="ltr" class=""><font face="Calibri, sans-serif" style="font-size: 11pt;" class=""><b class="">From:</b><span class="Apple-converted-space"> </span><a href="mailto:mitreid-connect-bounces@mit.edu" class="">mitreid-connect-bounces@mit.edu</a> <<a href="mailto:mitreid-connect-bounces@mit.edu" class="">mitreid-connect-bounces@mit.edu</a>> on behalf of Justin Richer <<a href="mailto:jricher@mit.edu" class="">jricher@mit.edu</a>><br class=""><b class="">Sent:</b><span class="Apple-converted-space"> </span>Thursday, August 25, 2016 5:33 PM<br class=""><b class="">To:</b><span class="Apple-converted-space"> </span><a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a><br class=""><b class="">Subject:</b><span class="Apple-converted-space"> </span>Re: [mitreid-connect] How is possible to put into a browser cookie the ID token?</font><div class=""> </div></div><div class=""><div style="margin-top: 0px; margin-bottom: 0px;" class="">Don't do that. The browser cookie needs to be between the RP and the browser, not the IdP and the browser. The demo application follows the correct pattern: use the ID token to establish authentication, then create a session in the application itself.</div><div style="margin-top: 0px; margin-bottom: 0px;" class=""><br class=""></div><div style="margin-top: 0px; margin-bottom: 0px;" class=""> -- Justin<br class=""></div><br class=""><div class="moz-cite-prefix">On 8/25/2016 10:06 AM, Michael Furman wrote:<br class=""></div><blockquote type="cite" class=""><div id="divtagdefaultwrapper" style="font-size: 12pt; background-color: rgb(255, 255, 255); font-family: Calibri, Arial, Helvetica, sans-serif;" class=""><div class=""><div style="margin-top: 0px; margin-bottom: 0px;" class="">Hi all,</div><div style="margin-top: 0px; margin-bottom: 0px;" class="">I want to put into a browser cookie the ID token after the OpenID Connect implicit flow.</div><div style="margin-top: 0px; margin-bottom: 0px;" class="">I want to eliminate the redirects to IDP for each requests.</div><div style="margin-top: 0px; margin-bottom: 0px;" class="">How to do it?<br class="">Do we have any RFC that describes how to make RP stateful?</div><p class="MsoNormal" style="margin-top: 0px; margin-bottom: 0px;"> </p><div style="margin-top: 0px; margin-bottom: 0px;" class="">I do know that the demo simple-web-app adds Jsession cookie after the authentication.</div><div style="margin-top: 0px; margin-bottom: 0px;" class="">My question if we have some RFC and therefore all RP may be stateful.<br class="">Thank you in advance for your help.</div><p class="MsoNormal" style="margin-top: 0px; margin-bottom: 0px;"> </p><div style="margin-top: 0px; margin-bottom: 0px;" class="">Best regards,</div><div style="margin-top: 0px; margin-bottom: 0px;" class=""><span class=""> <span class="Apple-converted-space"> </span></span>Michael</div></div><br class=""></div><br class=""><fieldset class="mimeAttachmentHeader"></fieldset><br class=""><pre class="">_______________________________________________
mitreid-connect mailing list
<a class="moz-txt-link-abbreviated" href="mailto:mitreid-connect@mit.edu">mitreid-connect@mit.edu</a>
<a class="moz-txt-link-freetext" href="http://mailman.mit.edu/mailman/listinfo/mitreid-connect">http://mailman.mit.edu/mailman/listinfo/mitreid-connect</a></pre></blockquote></div></div></div></div></blockquote></div><br class=""></div></body></html>