Hi,
As mentioned above when the RP iFrame receive a message as 'changed' from
the OP iFrame, it loads a request with the suffix of 're-authenticate' in
the browser window. The request will be handled by the tomcat valve as a
re-authentication request and a authentication request will be redirected
to the authentication endpoint with the parameter, prompt=none to indicate
the request should be handled without login.

   - If the session is valid in the OpenID Provider(OP), the browser will
   be redirected back with an authentication response with a new session
   state. So the session state will be updated to be used by the RP iFrame to
   poll the OP iFrame.
   - If the session is not valid, which means the end user has been logged
   out from the OP, then the response will be received with an error as
   "login_required". So the valve will redirect the user to the welcome page
   to start the flow.

This is how the Single Logout has been implemented in the tomcat extension
for OpenID Connect.

Thank you,
Abilashini

On Fri, Nov 4, 2016 at 10:47 AM, Abilashini Thiyagarajah <
abilash...@wso2.com> wrote:

> Hi,
>
> Now I am working on the $subject and I need some clarifications on the
> concept to start the implementation.
>
>    -
>
>    According to the specification
>    <http://openid.net/specs/openid-connect-session-1_0.html#RPiframe> of
>    OpenID Session Management, there should be a RP iframe which should be
>    written by the web application developer.
>
>
>
>    -
>
>    The RP iframe should poll the OP iframe repeatedly which will be
>    available in the iframe endpoint of OpenID Provider with the client ID to
>    get a message according to the session state.
>
>
>
>    -
>
>    So when the end user logged out from the IDP, the RP iframe of all the
>    logged in webapps from the same browser will get the message as “changed”.
>
>
>
>    -
>
>    After receiving this message the RP iframe will send a re-authenticate
>    request with ‘prompt = none’ to the authorization endpoint of the IDP.
>
>
>
>    -
>
>    If it does not receive a valid ID Token, then the web app/valve should
>    handle this as a logout.
>
>
> Please share your concerns on this.
>
>
> Thank you in advance,
>
> Abilashini
>
>
> --
> T. Abilashini
> Intern
> Software Engineering
> WSO2 Inc. http://wso2.com/
> Phone +94 719248432
>
>


-- 
T. Abilashini
Intern
Software Engineering
WSO2 Inc. http://wso2.com/
Phone +94 719248432
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Reply via email to