Session management #87
Comments
|
Let's assume to implement this code refactor, which would be the changements, strictly technicals, about the actual approach? that's something that would be defined in a general documentation (fancy drawings or text). |
peppelinux
added
enhancement
Long time not read this ... |
|
The documentation are starting to come together. Please read https://new-session-management.readthedocs.io/en/latest/ |
|
actually "question at night, shame during the day" and I often find it difficult to understand myself! Overall my question is outside the scope of oidcendpoint because it strictly refers to the implementation of SSO on the provider side and not in how oidcendpoint manages the session internally. As soon as I can put my hand to the new session management system I will find the answer with something practical but in fact I already read in the documentation you shared: """ Well, would be great to manage this behavior in oidcendpoint general configuration if you agree It would be useful - like so many things in this world, so leave the time it finds - to create a "drawing" of the relationship pattern that makes up the management of the session. If I have a chance, I'll report it on the documentation |
|
To make an OP support SSO or not support SSO is pretty simple. |
Correct me if I'm wrong but generally that's would be done with a second cookie crafted for SameSite avoidance and a sid in it - probably crypted and salted - that would be recognized by OP. The cookie wouldn't expire until the session will be refreshed by tokens |
|
Sorry, I was thinking more along the lines that and OP supported SSO for some clients but not for others. How SSO is handled between the RP and the OP, using cookies or ... was not what I was thinking about. And yes in the session management subsystem cookies with encrypted content (containing the sid) is used to keep SSO going. |
Hey... That's something really interesting! |
|
Trust me to come up with something you've never thought of before :-) :-) |
My present thinking is this:
When a user completes a successful authentication at an OP a session is created.
There is one session per user_id and client_id combination.
That means that if the user sends an authentication request from another client and SSO is used then a new session is created. The 2 sessions have an authentication event in common.
If SSO was not allowed then the 2 sessions, even if they concerned the same user_id, would not have a common authentication event.
This means that at the top of the session management tree we would have a number of authentication events.
Now within a session grants can be given. These grants can lead to authorization codes, access tokens and/or refresh tokens to be issued.
So we have a hierarchy:
This would allow us easy handling of single logout as well as dealing with grant management as described in
Grant Management
There are connections between grants, for instance it's useful to know which refresh token was used to issue which access token.
The text was updated successfully, but these errors were encountered: