Re: [OAUTH-WG] session status change notification questions

"Brock Allen" <> Mon, 12 January 2015 17:36 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 9384D1ACCDE for <>; Mon, 12 Jan 2015 09:36:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_66=0.6, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id GQ6Azecf70Yr for <>; Mon, 12 Jan 2015 09:36:00 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400e:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6087D1ACD07 for <>; Mon, 12 Jan 2015 09:36:00 -0800 (PST)
Received: by with SMTP id lf10so33206058pab.5 for <>; Mon, 12 Jan 2015 09:35:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-type:thread-index:content-language; bh=Zoi46yty1Zi3sCLfYT2mIWgkcuh8H40EbxiaxiGqZO4=; b=pM8xU9qT/G4wMB06VDAALXh0DHyDXW0KyCT1Ll/DVNKfiOo7VrQL8k6CinYlobZF0Y 5jVFvTjGZodrEK94SZ0yJrTqMV8TW6zT/zlOA7wYkCEoTyDp3gjFDsu+bX9SO44hHbS0 jI2h4x4VxcHpLV2vCIP78X6+JriDf9nGu/BnYn+ByiUFRTciuhmDGVBsnTIe28lpzMDe P+rAIg4yXMHCFHDOtIqk5ghyh7c0f60cjckoiHF1FVsEieRe19AtyOA84v4diVqdd0GA ygpExXIzkrS0Vj84U0+eVHilCcsYP/0N3fba4RPKWC1aMOL9yKzom8IsC9QlrK1BVaQw yjOA==
X-Received: by with SMTP id xe10mr38505281pab.46.1421084159431; Mon, 12 Jan 2015 09:35:59 -0800 (PST)
Received: from monk ( []) by with ESMTPSA id t13sm7574431pdj.61.2015. (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 12 Jan 2015 09:35:57 -0800 (PST)
From: Brock Allen <>
To: 'John Bradley' <>
References: <002401d02e69$43284220$c978c660$> <>
In-Reply-To: <>
Date: Mon, 12 Jan 2015 12:35:40 -0500
Message-ID: <004c01d02e8e$302e5180$908af480$>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_004D_01D02E64.475ABA80"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQHgJUIGBHg1bz2D1+UdLPO396LUSwHcTawxnI3vM5A=
Content-Language: en-us
Archived-At: <>
Subject: Re: [OAUTH-WG] session status change notification questions
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 12 Jan 2015 17:36:02 -0000

Yep, my mistake. Apologies for the spam (including this apology email).




From: John Bradley [] 
Sent: Monday, January 12, 2015 8:21 AM
To: Brock Allen
Subject: Re: [OAUTH-WG] session status change notification questions


If you are talking about this spec,  then the correct list for questions is the openid Connect one at


Session management is not currently a OAuth WG document.


John B.


On Jan 12, 2015, at 10:11 AM, Brock Allen < <> > wrote:


A couple of questions about the session management spec related to the status change notifications (section 4): 


1) Is there a working reference implementation of the JavaScript that goes with the current draft of the spec?



2) For the statement from section 4.2: “The OP iframe MUST enforce that the caller has the same origin as its parent frame.” I’m uncertain how to do this in the OP iframe, given that it seems to be a cross-origin security concern to ascertain the origin of the parent window. I don’t think ‘referrer’ is the most reliable approach.



3) The spec states that the OP iframe and the RP iframe should be both contained within the main RP window (so the iframes are siblings). Is there a reason the RP iframe can’t contain the OP iframe?


If it can, then this would address my question #2 above, as the source.window (on the message event args) can be compared to the parent.window to ensure that only the parent is sending the messages.







OAuth mailing list