Session management #1543
Session management #1543
Conversation
lullis
force-pushed
the
session_management
branch
7 times, most recently
from
926e384 to
27f2c7b
Compare
|
@lullis Thank you for working on this. I've only given it a cursory review, but it looks like a great start. It'll probably be late next week before I can look at this closely. Ping me again if I don't manage to get you a review by next Friday. |
lullis
force-pushed
the
session_management
branch
from
27f2c7b to
cd68405
Compare
lullis
force-pushed
the
session_management
branch
7 times, most recently
from
ec3ccd9 to
3c3d1bf
Compare
…ion-1_0.html) To enable it, user must add OIDC_SESSION_MANAGEMENT_ENABLED and provide OIDC_SESSION_MANAGEMENT_DEFAULT_SESSION_KEY on OAUTH2_PROVIDER settings, and add the proper middleware. This PR contains: - change in AuthorizationView to return 'session_state' parameter in authentication response - a SessionIFrameView as part of the OIDC views, which renders the content of the iframe used by RPs to keep track of session state changes. - middleware that sets the cookie - Documentation - Test for the changed authentication view
lullis
force-pushed
the
session_management
branch
from
3c3d1bf to
5b77eeb
Compare
|
@lullis I'm quite busy at the moment. I think that I should be able to have a look at this in the next ~3 months. Do please remind me if I forget it. |
|
@Qup42, just pinging to remind you about this PR. |
|
@lullis any guidance on testing procedures for this PR? |
|
@dopry I got a small app going to test these features at https://codeberg.org/raphael/oidc-client-testbed. I won't make any strong claims about its overall quality (I relied on Cursor to generate a lot of the boilerplate and the vue components), but I did check the actual functionality and it works well enough to check the session frame part. |
|
@lullis I was wondering more about test plans I could follow for testing manually. I can try to use your OIDC test bed, we also have the test/app/rp which we can use, although it may need to be updated. Not sure if I have session handling in that client. |
|
@dopry, I am reasonably confident that there is nothing about session handling in that client - at least not related to the session iframe. If started my vue app precisely because I couldn't find any demo application that exercised this functionality. Anyway, I was testing this with my app by running both the idp and the vue app. You can then login through the vue app, which will authenticate you in the idp. Once you login there will be a "session info" tab that will show you as logged in. You can open a console and you will see that the rp has an iframe which will be pinging the idp every few seconds. If you open another tab and log out directly on the IDP, the session will be finished and the rp will then show you as logged out. |
|
the RP uses my svelte-oidc package which is a proxy to https://github.com/DuendeArchive/identity-model-oidc-client-js more or less. I'm fairly certain https://github.com/DuendeArchive/identity-model-oidc-client-js/blob/dev/src/SessionMonitor.js handles session management in that library. Whether the tests/app/rp has session management enabled is another question. I've been meaning to update that to https://github.com/authts/oidc-client-ts, which is a TS port of the same library. |
Fixes #1130
Description of the Change
Implementation of OIDC Session Management. This PR:
OIDC_SESSION_MANAGEMENT_DEFAULT_KEYto be present.OIDC_SESSION_MANAGEMENT_DEFAULT_KEYif the user is not authenticated. This is enough for the OP to indicate whether the end user session has changed (logged in, logged out)Checklist
CHANGELOG.mdupdated (only for user relevant changes)AUTHORS