[mitreid-connect] How is possible to put into a browser cookie the ID token?
Justin Richer
jricher at mit.edu
Sun Aug 28 16:14:57 EDT 2016
Neither component currently supports the session management extension. There are some pull requests that implement parts of it that haven’t been evaluated and incorporated yet.
— Justin
> On Aug 28, 2016, at 7:52 AM, Michael Furman <michael_furman at hotmail.com> wrote:
>
> Hi Justin,
> Thank you!
> I have read the Session management specification:
> http://openid.net/specs/openid-connect-session-1_0.html <http://openid.net/specs/openid-connect-session-1_0.html>
> Is your IDP supports the Session management specification?
> What is the Session management endpoint?
> Is your RP supports the Session management specification?
> Best regards,
> Michael
>
>
> From: Justin Richer <jricher at mit.edu>
> Sent: Thursday, August 25, 2016 10:11 PM
> To: Michael Furman
> Cc: mitreid-connect at mit.edu
> Subject: Re: [mitreid-connect] How is possible to put into a browser cookie the ID token?
>
> It’s a per-application pattern because it’s going to be very specific to your platform.
>
> — Justin
>
>> On Aug 25, 2016, at 11:38 AM, Michael Furman <michael_furman at hotmail.com <mailto:michael_furman at hotmail.com>> wrote:
>>
>> Thank you for your help!
>> I want to set the cookie between the RP and the browser.
>>
>> Your demo application follows the correct pattern (and I want to follow the same pattern):
>> a) - Use the ID token to establish the authentication
>> b) - Create the application session
>> c) - Add the browser cookie (JsessionID)
>>
>> We want to use your application for our Java client but we have also CPP client and we want to use mod_auth_openidc client
>> https://github.com/pingidentity/mod_auth_openidc <https://github.com/pingidentity/mod_auth_openidc>
>> The question if the pattern above is RP behavior defined in some RFC and therefore all RP will need to implement it or it is the application pattern and therefore I need to implement it in code by myself.
>> Best regards,
>> Michael
>>
>>
>>
>> From: mitreid-connect-bounces at mit.edu <mailto:mitreid-connect-bounces at mit.edu> <mitreid-connect-bounces at mit.edu <mailto:mitreid-connect-bounces at mit.edu>> on behalf of Justin Richer <jricher at mit.edu <mailto:jricher at mit.edu>>
>> Sent: Thursday, August 25, 2016 5:33 PM
>> To: mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>
>> Subject: Re: [mitreid-connect] How is possible to put into a browser cookie the ID token?
>>
>> Don't do that. The browser cookie needs to be between the RP and the browser, not the IdP and the browser. The demo application follows the correct pattern: use the ID token to establish authentication, then create a session in the application itself.
>>
>> -- Justin
>>
>> On 8/25/2016 10:06 AM, Michael Furman wrote:
>>> Hi all,
>>> I want to put into a browser cookie the ID token after the OpenID Connect implicit flow.
>>> I want to eliminate the redirects to IDP for each requests.
>>> How to do it?
>>> Do we have any RFC that describes how to make RP stateful?
>>>
>>> I do know that the demo simple-web-app adds Jsession cookie after the authentication.
>>> My question if we have some RFC and therefore all RP may be stateful.
>>> Thank you in advance for your help.
>>>
>>> Best regards,
>>> Michael
>>>
>>>
>>>
>>> _______________________________________________
>>> mitreid-connect mailing list
>>> mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>
>>> http://mailman.mit.edu/mailman/listinfo/mitreid-connect <http://mailman.mit.edu/mailman/listinfo/mitreid-connect>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20160828/3b82156c/attachment.html
More information about the mitreid-connect
mailing list