Open ID ABC session management

From IIW

Session Topic: OpenID Session Management (T3E)

Convener: Breno de Medeiros, John Bradley

Notes-taker(s): Mike Jones

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Breno introduced the id_token and went through session establishment procedure.

Id_token:

  • Is a JWT
  • Identifies user
  • Contains an audience restriction
  • Has limited duration

In the AB/C spec, the id_token is called “openid”.  It is the identity assertion for OpenID AB/C.  

Breno raised the question about whether the JWT should contain an authorization context.

George Fletcher questioned of whether having an authorization context is a good use of space.

John Bradley stated that we don’t want to add every feature of SAML tokens to JWTs.  

We discussed that we could define extensions to convey information about the user’s login state.

George raised the question of whether the PAPE information should be in the token.  

We discussed using the equivalent of a “checkid_immediate that doesn’t give you an access token” to extend the current session or revive an expired session.  In either case, the authentication quality may have changed, so the id_token may need to contain the PAPE state.  

If the user signs out at the provider, within a few minutes the user should be signed out at the RPs.  

Session management is different for the user agent flow.

Our security considerations will work to prevent leaking id_tokens.