OpenID Connect 会话管理中的会话状态
session state in OpenID Connect Session Management
我正在为现有 IDP 开发 OpenID 连接会话管理。在规范中它提到我们应该将会话状态从 RP 发送到 OP。我需要知道这里会话状态的真正含义。我还需要知道我应该把什么作为盐值?
这个会话状态值是原始登录时OP在身份验证响应中提供给RP的东西。该值对 RP 是不透明的,它只需要跟踪它并在其从 RP iframe 到 OP 的 postMessage 调用中将其发送回 OP,以便 OP 可以关联它。
正如 http://openid.net/specs/openid-connect-session-1_0.html#CreatingUpdatingSessions 中的规范所述:
When the OP supports session management, it MUST also return the Session State as an additional session_state parameter in the Authentication Response. The OpenID Connect Authentication Response is specified in Section 3.1.2.5 of OpenID Connect Core 1.0.
This parameter is:
session_state
Session State. JSON string that represents the End-User's login state at the OP. It MUST NOT contain the space (" ") character. This value is opaque to the RP. This is REQUIRED if session management is supported.
The Session State value is initially calculated on the server. The same Session State value is also recalculated by the OP iframe in the browser client. The generation of suitable Session State values is specified in Section 4.2, and is based on a salted cryptographic hash of Client ID, origin URL, and OP browser state. For the origin URL, the server can use the origin URL of the Authentication Response, following the algorithm specified in Section 4 of RFC 6454 [RFC6454].
我正在为现有 IDP 开发 OpenID 连接会话管理。在规范中它提到我们应该将会话状态从 RP 发送到 OP。我需要知道这里会话状态的真正含义。我还需要知道我应该把什么作为盐值?
这个会话状态值是原始登录时OP在身份验证响应中提供给RP的东西。该值对 RP 是不透明的,它只需要跟踪它并在其从 RP iframe 到 OP 的 postMessage 调用中将其发送回 OP,以便 OP 可以关联它。
正如 http://openid.net/specs/openid-connect-session-1_0.html#CreatingUpdatingSessions 中的规范所述:
When the OP supports session management, it MUST also return the Session State as an additional session_state parameter in the Authentication Response. The OpenID Connect Authentication Response is specified in Section 3.1.2.5 of OpenID Connect Core 1.0.
This parameter is:
session_state
Session State. JSON string that represents the End-User's login state at the OP. It MUST NOT contain the space (" ") character. This value is opaque to the RP. This is REQUIRED if session management is supported. The Session State value is initially calculated on the server. The same Session State value is also recalculated by the OP iframe in the browser client. The generation of suitable Session State values is specified in Section 4.2, and is based on a salted cryptographic hash of Client ID, origin URL, and OP browser state. For the origin URL, the server can use the origin URL of the Authentication Response, following the algorithm specified in Section 4 of RFC 6454 [RFC6454].