Confirmed users
502
edits
Security/Guidelines/OpenID Connect: Difference between revisions
Security/Guidelines/OpenID Connect (view source)
Revision as of 18:06, 14 November 2016
, 14 November 2016→Session handling
Gdestuynder (talk | contribs) |
Gdestuynder (talk | contribs) |
||
| Line 122: | Line 122: | ||
=== Session handling === | === Session handling === | ||
The OpenID Connect Provider (OP) creates a user session cookie so that it does not need to re-ask the user for their | The OpenID Connect Provider (OP) typically creates a user session cookie so that it does not need to re-ask the user for their | ||
credentials too often across different web applications (RP). The expiration of the session depends on the OP setup the session and may be forced to expire by the OpenID Connect Provider (OP) sooner than the cookie indicates on the user's browser. | credentials too often across different web applications (RP). | ||
This allows the OP to forcibly log the user out. This premature termination of the user’s session with the OP will not, however, end the user’s session on the web application's (RP's) which they’ve logged into. | The expiration of the session depends on the OP setup the session and may be forced to expire by the OpenID Connect Provider (OP) sooner than the cookie indicates on the user's browser. | ||
This allows the OP to forcibly log the user out from the OP point of view. This premature termination of the user’s session with the OP will not, however, end the user’s session on the web application's (RP's) which they’ve logged into. | |||
For that reason, it is important that the web application (RP) respect | For that reason, it is important that the web application (RP) respect the following set of rules in regards to session handling: | ||
* '''Must''' expire the user session when the ID token expires or sooner (the expiration time is generally a UNIX timestamp attribute named <code>exp</code>). | * '''Must''' expire the user session when the ID token expires or sooner (the expiration time is generally a UNIX timestamp attribute named <code>exp</code>). | ||
* If the user's session is longer than '''15 minutes''', '''must''' re-check/introspect the ID token every ''15 minutes'' or next user request (whichever comes first), to ensure that the user is still valid and has correct permissions. | * If the user's session is longer than '''15 minutes''', '''must''' re-check/introspect the ID token every ''15 minutes'' or next user request (whichever comes first), to ensure that the user is still valid and has correct permissions. | ||
| Line 135: | Line 135: | ||
** This issues a new ID token, which new attributes if they have changed. | ** This issues a new ID token, which new attributes if they have changed. | ||
** This usually also renews the ID token, which will update it's expiration time to a later date. | ** This usually also renews the ID token, which will update it's expiration time to a later date. | ||
* '''Optionally''' provide a <code>logout</code> URL, which the OpenID Connect Provider (OP) can call to indicate if a user has logged out (so that the web application immediately know when to log the user out as well). | |||
=== Other important security considerations === | === Other important security considerations === | ||