Reputation: 48450
OpenID session management with ORY Hydra
I am running Ory Hydra as an OAuth 2.0 / OpenID Provider.
I wanted to put together a solution so that the Relaying Party can check the end user's OpenID session state. Are they logged in, logged out etc. The OpenID spec has a solution that uses iframes specified here. The major problem I have with this solution is depicted in Section 5.1 of the OpenID Connect Session Management spec here:
Note that at the time of this writing, some User Agents (browsers) are starting to block access to third-party content by default to block some mechanisms used to track the End-User's activity across sites.
Specifically, the third-party content being blocked is website content with an origin different that the origin of the focused User Agent window.
Site data includes cookies and any web storage APIs (sessionStorage, localStorage, etc.).
This can prevent the ability for notifications from the OP at the RP from being able to access the RP's User Agent state to implement local logout actions.
In particular, cookies and web storage APIs may not be available in the OP frame loaded in the RP context. The side effect here is that, depending on the used mechanism (cookies or web storage), the data needed to recalculate session_state might not be available.
Cookie based implementations might then return changed for every single call, resulting in infinite loops of re-authentications.
Therefore, deployments of this specification are recommended to include defensive code to detect this situation, and if possible, notify the End-User that the requested RP logouts could not be performed.
The details of the defensive code needed are beyond the scope of this specification; it may vary per User Agent and may vary over time, as the User Agent tracking prevention situation is fluid and continues to evolve.
Is there another way to see if an End User has an OpenID session without using an iframe implementation?
Upvotes: 2
Views: 1561
Answers (1)
Reputation: 19921
You can always ask the token introspection endpoint using your access token to see if an access token is still valid or not. Using this approach you can avoid using iframes. As an alternative you could use short-lived access token and use the refresh token to acquire new access tokens. That could be a suitable compromise for most cases.
See the specification for token introspection here and this tutorial is also a good starting point
In the response from calling this endpoint you should find an active field that should be set to true if the user is still logged in.
The specification says:
active REQUIRED. Boolean indicator of whether or not the presented token is currently active. The specifics of a token's "active" state will vary depending on the implementation of the authorization server and the information it keeps about its tokens, but a "true" value return for the "active" property will generally indicate that a given token has been issued by this authorization server, has not been revoked by the resource owner, and is within its given time window of validity (e.g., after its issuance time and before its expiration time).
Upvotes: 2
Related Questions
- Oauth2 with ORY Hydra or ORY Kratos
- how to exchange code to token in Ory Hydra
- OpenID Connect Provider in Python
- OIDC delegation
- ORY Hydra and validating an OpenID Connect login
- Session management/revocation with OAuth2 and OpenID Connect
- ORY Hydra: Can I reuse existing user session?
- OpenID Connect - how to handle single logout
- OIDC Session Management in a SPA (Single-Sign-Out)
- OpenId Connect Implicit flow, how to maintain session