Comments (10)
leastprivilege
commented on June 25, 2024
OIDC board is unsure right now what the right approach is - we will postpone that feature.
from identityserver3.
whymarrh
commented on June 25, 2024
Is there any update on this? I understand that the spec is still a draft, but I think this is required for functionally implementing the implicit flow in a SPA.
from identityserver3.
leastprivilege
commented on June 25, 2024
We will implement that at some point - but it does not have a high priority.
The spec is actively discussed in the working group right now - expect changes.
from identityserver3.
whymarrh
commented on June 25, 2024
Interesting, am I correct in understanding that without the check_session_iframe the only way for a session to end, once a user has been authenticated, is for the ID token to expire?
Does this not prevent use of the implicit flow?
from identityserver3.
leastprivilege
commented on June 25, 2024
No - the id token is just the outcome of the authentication process - it is not used to establish a session. The client itself is responsible for creating a session of some sorts.
from identityserver3.
whymarrh
commented on June 25, 2024
I guess I just mean that without support for the Session Management Spec, specifically check_session_iframe, a RP is left with 2 options:
- Wait for the ID token to expire
- Ping the OP for authentication with
promptset tononeand interpret an error as the user being logged out
I think the first of which is impractical, but I guess option 2 works.
from identityserver3.
leastprivilege
commented on June 25, 2024
Expect id tokens to be really short lived in practice - we are defaulting to 5 minutes IIRC.
- is mimicking the session management spec - so yes. That said - we will implement the spec - it is just not done yet.
from identityserver3.
ciaranj
commented on June 25, 2024
@leastprivilege Now we have the RP initiated logout capability (http://leastprivilege.com/2014/10/14/identityserver-v3-and-post-logout-redirect/) [thank you] that requires the identity token to be maintained by the client in order to pass it back to the OP, are we expecting to have long lived id tokens now, or is 'exp' aspect of validating the token ignored for the logout?
from identityserver3.
leastprivilege
commented on June 25, 2024
Expiration is ignored.
On 14.10.2014, at 21:40, "Ciaran Jessup" <[email protected]mailto:[email protected]> wrote:
Now we have the RP initiated logout capability (http://leastprivilege.com/2014/10/14/identityserver-v3-and-post-logout-redirect/) [thank you] that requires the identity token to be maintained by the client in order to pass it back to the OP, are we expecting to have long lived id tokens now, or is 'exp' aspect of validating the token ignored for the logout?
Reply to this email directly or view it on GitHubhttps://github.com//issues/30#issuecomment-59103815.
from identityserver3.
leastprivilege
commented on June 25, 2024
OK - session ID and check_session_iframe is implemented on dev
from identityserver3.
Related Issues (20)
- CustomUserService with Redis cache: Looking for validation that I am doing it properly HOT 1
- User X509 certificate HOT 6
- How to get all active clients for current session HOT 1
- Exception cleaning tokens is a recurring error that appears. HOT 1
- Need to change the validation message when login HOT 1
- Mixed authentication MVC controller HOT 2
- Force users to login for authorization endpoint HOT 4
- IdentityServer3 HOT 2
- Logout Problem with MvcViewService Implementation HOT 1
- How to set strong password restriction HOT 1
- How to sign my JWT using Firebase private key to integrate with IdentityServer HOT 1
- IdentityServer3 when I submit a form to login sometimes it is very slow HOT 5
- how to use IdentityServer3 in the webform with .net framework 4.0 HOT 4
- Why not just render the login page in the first login requst? HOT 2
- Refresh Tokens
- Any sample with android and retrofit? HOT 2
- React native client example? HOT 1
- "No signin id passed" message
- Custom user service doesn't work with Facebook as external login provider. HOT 1
- Question about single sign out with Identity Server 3 hybrid flow
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from identityserver3.