Check Session Iframe OpenIDConnect
Asked Answered
E

2

7

I have a situation where I have an RP that does not explicitly require you to be logged into it. However I had a look at the session management specification for Open ID Connect, more specifically the check_session_iframe endpoint specification as drafted here

I was wondering if the following scenario would be possible. I have an RP that uses client x to federate sign on onto my OP. Is it possible such that I can see if the client (x) is signed into the OP even if you do not have the session id (or sid). In otherwords is it possible for an application to see if you have a session with the OP so that you are not forced to prompt a sign on against the OP.

A basic flow that I want to satisfy for UX reasons is

1) go to RP.

2) check to see if RP has session with OP.

3) - If there is a session then auto-login (without initiating flow)

  • If there is no session then don't do anything(ie no need to prompt for login).

Is something like this possible? I do understand that it is possible to get session information if you have previously been signed in (by using the given session_state and client_id)

I have looked at the IdentityServer3.Samples, more specifically the client sample that shows how you can check session state here however it seems like this sample shows how it is possible to check session state after doing a log in. I want to know if it is possible to check if the client currently does have a session even before the RP explicitly requests for sign on.

Equipage answered 16/8, 2016 at 18:21 Comment(0)
W
3

Yes, use prompt=none in the authorization request to the OP, and do it in an iframe. The oidc-client-js library now supports with the querySessionStatus API this as of recent: https://brockallen.com/2016/08/12/check-session-support-in-oidc-client-js/.

Whistle answered 16/8, 2016 at 22:12 Comment(0)
T
0

you can use querySessionStatus methon to chec if there is an active session

i've added a method in my oidc-client service

sessionStatus(): Promise<any> {
  return this._userManager.querySessionStatus();
} 

and i called this method to check if there is a valid session in my CanActivate guard, if session exist i call signinRedirect directly without prompting the login view

 canActivate(): boolean {
   if (!this.authService.isLoggedIn()) {
    this.authService.getSessionStatus().then((data) => {
      if (data.sid !== null) { // if session exist i call login method in my oidc-client service
       this.authService.login();
       return true;
      } else {
       this.router.navigate(['account/login']);
       return false;
    }
    }).catch((err) => {
     this.router.navigate(['account/login']);
     return false;
   });

  } else {
    return true;
  }
 }
Typology answered 30/10, 2018 at 22:14 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.