OIDC session management
17.7.1.7. AS-centric AS - OpenID Connect Session Management 1.0

This is an implementation of the OP part of the OpenID Connect Session Management 1.0 specification.

Limitations

OpenID Connect Session Management 1.0 is limited to session management across tabs in a browser and it is not a security feature. Its primary focus is to improve the end-user experience by notifying the user of a concurrent logout while being on a protected website.

To ensure the validity of the access token, token introspection and revocation should be used.

OpenID Connect Session Management 1.0 cannot be recommended in cross-domain scenarios as modern web browsers are becoming more restrictive in their handling of cookies.

It is a limitation of the underlying standard, that session management will not guarantee single logout in multi-tabbed browsing for the following use cases:

  • session timeout will not be detected
  • closing a tab will not cause a session logout

Validation

OpenID Connect Session Management will validate the origin of the RP iFrame URL. The RP iframe URL MUST have the same origin (protocol, host, and port) as one of the registered client's redirect URLs.

Content Security Policy (CSP) must be configured to allow RP and OP iframes.

Instruction

  • 1.
    Go to:
    Loginapp >> OAuth 2.0/OIDC Authorization Servers >> <affected AS>.
  • 2.
    In the OpenID Connect Features group configure an OpenID Connect Session Management plugin.
  • OpenID Connect Session Management 1.0 is configured.