The OpenID Connect Session Management specification, provides a way for a Relying Party (RP) to monitor the login status of an end user with an OpenID Connect Provider (OP) so that the RP application can log-out any end users that have logged out of the OP (i.e., the WSO2 Identity Server). For instance, if there are two RP applications relying on WSO2 Identity Server, when an end user logs-out of one of the applications, he/she can they can be automatically logged out of the other one as well.
...
OpenID Connect session management works with two hidden iframes , one at where both reside at the RP. One is from the RP itself and the other at the OP. The relying party is from the OP. When authenticating, the OP sends an iframe to the RP. The RP embed this OP-provided iframe into the RP. The RP checks the session state by using via the RP iframe to continuously poll a hidden OP by continuously polling the embedded OP provided iframe, without causing network traffic. TherebyThereby, the RP is notified when the session state of the end-user has changed. The flow of this is as follows.
- The RP iframe polls the OP iframe for a session status.
- The OP iframe sends back a post message message (by using HTML5 Winodw.postMessage()) about the session state as 'changed, 'unchanged' or 'error'.
- If the session state is 'changed', the RP sends a passive request for re-authentication.
- If the end user has logged out from the OP, the RP will receive an authentication failure message along with a new session state value. The RP handles this as a end user logout.
- If the end user has not logged out, the RP will receive a successful authentication response along with a new session state value.
| Panel | ||
|---|---|---|
| ||
To test this feature with WSO2 Playground sample, see the Session Management with Playground topic. |