OpenID Connect Session Management 1.0 overview

Airlock IAM implements the OpenID Connect Session Management 1.0 as defined by the OpenID Foundation.

The OpenID Connect Session Management 1.0 is intended to allow session management across multiple tabs in a browser. Each tab can contain a web application (or another OAuth client) that has been authenticated from the same login session. When using the logout function in one tab, all other tabs should be logged out within a reasonable time (e.g., within a few seconds) subsequently.

Tracking is done via two iframes per tab, one of the OpenID providers (OP iframe) and one of the Relying Party (RP iframe).

Use case sequence

The following picture shows an example of how the logout in one browser tab will propagate to the second tab of the same browser.

The example uses a website with an SSO setup for separate eBanking and stock market applications:

OIDC Session Management 1.0 Sequence

Phase

Description

1

  • After successful authentication, the browser:
  • receives access and refresh tokens.
  • maintains a session state with the OP (authorization server).
  • receives a cookie to track the user agent state of this OP.

2

The user has opened 2 tabs in the browser. One contains a web application for eBanking, the other a stock market application. Since both run in the same browser, they share the cookie store that contains the OP cookie.

The javascript in the RP iframe regularly checks the OP iframe to determine if the user agent state has changed.

3

This is the step where OpenID Connection Session Management 1.0 starts to be involved. The user decides to log out on the Stock Market application tab.

  • The logout updates the session in the OP and the cookie is deleted from the cookie store.
  • The Stock Market application shows an after-logout screen.

4

The eBanking application is still active and the RP iframe continues polling the OP iframe.

  • By the next poll (after logout) the user agent status has changed response:
  • This triggers the eBanking application to start an authorization code flow with prompt=none.
  • The authorization code flow will fail since the user session on the OP was terminated by the logout in the previous step.

5

The eBanking application is no longer authenticated.

Both tabs present the user with the default screen of an unauthenticated user.

iframe usage

For OpenID Connect Session Management 1.0 to work, every single-page application has to embed an OP and an RP iframe.

  • RP iframe properties:
  • The invisible iframe must be embedded in the single-page application.
  • This iframe constantly checks the state of the user agent by querying the OP iframe.
  • The implementation of the RP iframe is the responsibility of the client.
  • OP iframe properties:
  • The invisible iframe must be embedded in the single-page application.
  • This iframe can access the OP user agent state cookie and respond to the RP iframe queries.
  • The OpenID provider provides the OP iframe. It needs to be embedded in the page.

OIDC Session Management 1.0 Overview

  1. The above picture shows the interactions between RP and OP iframe:
  2. The RP iframe queries the OP iframe. It provides the client id and session state in this query.
  3. The OP iframe responds if the state is the same or has changed. To determine this result, it reads the OP user agent state cookie from the browser cookie store.

Features

  • Network traffic is optimized. No polling of the OP is required.
  • The user agent state is synchronized over tabs by using a single cookie shared by all OP iframes.

Limitations

  • Browsers are handling cookie policies more and more restrictive. It is to be expected that the mechanism provided here will only work for single-page applications that are loaded from the same origin. Cross-domain use cases are actively discouraged and will soon be disabled by browsers.