<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p></p>
<p class="MsoNormal">Hi Justin,<br>
Thank you!</p>
<p class="MsoNormal">I have read the Session management specification:</p>
<pre><a id="LPlnk982101" href="http://openid.net/specs/openid-connect-session-1_0.html">http://openid.net/specs/openid-connect-session-1_0.html</a></pre>
<p class="MsoNormal">Is your IDP supports the Session management specification?</p>
<p class="MsoNormal">What is the Session management endpoint?</p>
<p class="MsoNormal">Is your RP supports the Session management specification?</p>
<p class="MsoNormal">Best regards,</p>
<p class="MsoNormal"><span style="mso-spacerun:yes"> </span>Michael</p>
<br>
<p></p>
<br>
<div style="color: rgb(0, 0, 0);">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" color="#000000" face="Calibri, sans-serif"><b>From:</b> Justin Richer <jricher@mit.edu><br>
<b>Sent:</b> Thursday, August 25, 2016 10:11 PM<br>
<b>To:</b> Michael Furman<br>
<b>Cc:</b> mitreid-connect@mit.edu<br>
<b>Subject:</b> Re: [mitreid-connect] How is possible to put into a browser cookie the ID token?</font>
<div> </div>
</div>
<div>It’s a per-application pattern because it’s going to be very specific to your platform.
<div class=""><br class="">
</div>
<div class=""> — Justin</div>
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Aug 25, 2016, at 11:38 AM, Michael Furman <<a href="mailto:michael_furman@hotmail.com" class="">michael_furman@hotmail.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div id="divtagdefaultwrapper" class="" style="font-style:normal; font-weight:normal; letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px; font-size:12pt; background-color:rgb(255,255,255); font-family:Calibri,Arial,Helvetica,sans-serif">
<p class="" style="margin-top:0px; margin-bottom:0px"></p>
<div class="">
<div class="" style="margin-top:0px; margin-bottom:0px">Thank you for your help!</div>
<div class="" style="margin-top:0px; margin-bottom:0px">I want to set the cookie between the RP and the browser.<br class="">
<br class="">
</div>
<div class="" style="margin-top:0px; margin-bottom:0px">Your demo application follows the correct pattern (and I want to follow the same pattern):</div>
<div class="" style="margin-top:0px; margin-bottom:0px; text-indent:-0.25in"><span class=""><span class="">a)<span class="" style="font-style:normal; font-weight:normal; font-size:7pt; line-height:normal; font-family:'Times New Roman'"> <span class="Apple-converted-space"> </span></span></span></span><span dir="LTR" class=""></span>-
Use the ID token to establish the authentication</div>
<div class="" style="margin-top:0px; margin-bottom:0px; text-indent:-0.25in"><span class=""><span class="">b)<span class="" style="font-style:normal; font-weight:normal; font-size:7pt; line-height:normal; font-family:'Times New Roman'"> <span class="Apple-converted-space"> </span></span></span></span><span dir="LTR" class=""></span>-
Create the application session</div>
<div class="" style="margin-top:0px; margin-bottom:0px; text-indent:-0.25in"><span class=""><span class="">c)<span class="" style="font-style:normal; font-weight:normal; font-size:7pt; line-height:normal; font-family:'Times New Roman'"> <span class="Apple-converted-space"> </span></span></span></span><span dir="LTR" class=""></span>-
Add the browser cookie (JsessionID)</div>
<p class="MsoNormal" style="margin-top:0px; margin-bottom:0px"> </p>
<div class="" style="margin-top:0px; margin-bottom:0px">We want to use your application for our Java client but we have also CPP client and we want to use mod_auth_openidc client<span class="Apple-converted-space"> </span><br class="">
<a id="LPlnk900372" href="https://github.com/pingidentity/mod_auth_openidc" class="">https://github.com/pingidentity/mod_auth_openidc</a></div>
<div class="" style="margin-top:0px; margin-bottom:0px">The question if the pattern above is RP behavior defined in some RFC and therefore all RP will need to implement it or it is the application pattern and therefore I need to implement it in code by myself.</div>
<div class="" style="margin-top:0px; margin-bottom:0px">Best regards,</div>
<div class="" style="margin-top:0px; margin-bottom:0px"><span class=""> <span class="Apple-converted-space"> </span></span>Michael</div>
</div>
<br class="">
<p class="" style="margin-top:0px; margin-bottom:0px"></p>
<br class="">
<br class="">
<div class="" style="">
<hr tabindex="-1" class="" style="display:inline-block; width:1716.953125px">
<div id="divRplyFwdMsg" dir="ltr" class=""><font class="" style="font-size:11pt" face="Calibri, sans-serif"><b class="">From:</b><span class="Apple-converted-space"> </span><a href="mailto:mitreid-connect-bounces@mit.edu" class="">mitreid-connect-bounces@mit.edu</a>
<<a href="mailto:mitreid-connect-bounces@mit.edu" class="">mitreid-connect-bounces@mit.edu</a>> on behalf of Justin Richer <<a href="mailto:jricher@mit.edu" class="">jricher@mit.edu</a>><br class="">
<b class="">Sent:</b><span class="Apple-converted-space"> </span>Thursday, August 25, 2016 5:33 PM<br class="">
<b class="">To:</b><span class="Apple-converted-space"> </span><a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a><br class="">
<b class="">Subject:</b><span class="Apple-converted-space"> </span>Re: [mitreid-connect] How is possible to put into a browser cookie the ID token?</font>
<div class=""> </div>
</div>
<div class="">
<div class="" style="margin-top:0px; margin-bottom:0px">Don't do that. The browser cookie needs to be between the RP and the browser, not the IdP and the browser. The demo application follows the correct pattern: use the ID token to establish authentication,
then create a session in the application itself.</div>
<div class="" style="margin-top:0px; margin-bottom:0px"><br class="">
</div>
<div class="" style="margin-top:0px; margin-bottom:0px"> -- Justin<br class="">
</div>
<br class="">
<div class="moz-cite-prefix">On 8/25/2016 10:06 AM, Michael Furman wrote:<br class="">
</div>
<blockquote type="cite" class="">
<div id="divtagdefaultwrapper" class="" style="font-size:12pt; background-color:rgb(255,255,255); font-family:Calibri,Arial,Helvetica,sans-serif">
<div class="">
<div class="" style="margin-top:0px; margin-bottom:0px">Hi all,</div>
<div class="" style="margin-top:0px; margin-bottom:0px">I want to put into a browser cookie the ID token after the OpenID Connect implicit flow.</div>
<div class="" style="margin-top:0px; margin-bottom:0px">I want to eliminate the redirects to IDP for each requests.</div>
<div class="" style="margin-top:0px; margin-bottom:0px">How to do it?<br class="">
Do we have any RFC that describes how to make RP stateful?</div>
<p class="MsoNormal" style="margin-top:0px; margin-bottom:0px"> </p>
<div class="" style="margin-top:0px; margin-bottom:0px">I do know that the demo simple-web-app adds Jsession cookie after the authentication.</div>
<div class="" style="margin-top:0px; margin-bottom:0px">My question if we have some RFC and therefore all RP may be stateful.<br class="">
Thank you in advance for your help.</div>
<p class="MsoNormal" style="margin-top:0px; margin-bottom:0px"> </p>
<div class="" style="margin-top:0px; margin-bottom:0px">Best regards,</div>
<div class="" style="margin-top:0px; margin-bottom:0px"><span class=""> <span class="Apple-converted-space"> </span></span>Michael</div>
</div>
<br class="">
</div>
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset><br class="">
<pre class="">_______________________________________________
mitreid-connect mailing list
<a class="moz-txt-link-abbreviated" href="mailto:mitreid-connect@mit.edu">mitreid-connect@mit.edu</a>
<a class="moz-txt-link-freetext" href="http://mailman.mit.edu/mailman/listinfo/mitreid-connect">http://mailman.mit.edu/mailman/listinfo/mitreid-connect</a></pre>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</div>
</body>
</html>