OIDC session management
13.3.1.6. OpenID Connect Session Management 1.0 overview

Airlock IAM implements the OpenID Connect Session Management 1.0 as defined by OpenID Foundation.

The OpenID Connect Session Management 1.0 is intended to allow session management across multiple tabs in a browser. Each tab contains a single-page application (SPA) that has been authenticated from the same login session. When using the logout function in one tab, all other tabs should also be logged out within a reasonable time (e.g. within a few seconds)

Use case sequence

The following picture shows an example of how the logout in one browser tab will propagate to the second tab of the same browser. The example uses a website with an SSO setup for separate eBanking and stock market applications:

OIDC Session Management 1.0 Sequence

  • 1.
    After successful authentication the browser
    • receives access and refresh tokens.
    • maintains a session state with the OP (authorization server).
    • receives a cookie to track the user agent state of this OP.
  • 2.
    The user has opened 2 tabs in the browser. One contains an SPA for eBanking and the other a stock market application. Since both run in the same browser, they share the cookie store containing the OP cookie. The javascript in the RP iframe regularly checks the OP iframe to determine if the user agent state has changed.
  • 3.
    This is the step where OpenID Connection Session Management 1.0 starts to be involved. The user decides on the Stock Market application to log out. The logout updates the session in the OP and the cookie is deleted from the cookie store.
  • 4.
    The Stock Market application shows an after-logout screen. The eBanking application is still active and the RP iframe continues to poll the OP iframe. The next poll after logout receives a user agent status has changed response. This triggers the eBanking application to start an authorization code flow with prompt=none. This will fail since the user session on the OP was terminated by the logout in the previous step.
  • 5.
    The eBanking application is no longer authenticated. Both tabs present the user with the default screen of an unauthenticated user.

iframe usage

For OpenID Connect Session Management 1.0 to work every single page application has to embed both an OP and an RP iframe. The OP and RP iframes have the following properties:

  • RP-iframe:
    • invisible iframe, embedded in the single page application.
    • This iframe constantly checks the state of the user agent by querying the OP iframe.
    • The implementation of the RP iframe is the responsibility of the client.
  • OP-iframe:
    • invisible iframe, embedded in the single page application.
    • This iframe has access to the OP user agent state cookie and it can therefore respond to the RP iframe queries.
    • The OP iframe is provided by the OP and only needs to be embedded in the page.

OIDC Session Management 1.0 Overview

The above picture shows the interactions between RP and OP iframe:

  • 1.
    The RP iframe queries the OP iframe. It provides the client id and session state in this query.
  • 2.
    The OP iframe responds if the state is the same or if it has changed. To determine this result, it reads the OP user agent state cookie from the browser cookie store.

Features

  • Network traffic is optimized. No polling of the OP is required.
  • The user agent state is synchronized over tabs by using a single cookie shared by all OP iframes.

Limitations

  • Browsers are handling cookie policies more and more restrictive. It is to be expected, that the mechanism provided here will only work for single-page applications that are loaded from the same origin. Cross-domain use cases are actively discouraged and will soon be disabled by the browsers.

Further information and links