Re: [OAUTH-WG] session status change notification questions

John Bradley <ve7jtb@ve7jtb.com> Mon, 12 January 2015 13:21 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A71371A903B for <oauth@ietfa.amsl.com>; Mon, 12 Jan 2015 05:21:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, J_CHICKENPOX_66=0.6, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6ldsbxjLjsCi for <oauth@ietfa.amsl.com>; Mon, 12 Jan 2015 05:21:17 -0800 (PST)
Received: from mail-qc0-f175.google.com (mail-qc0-f175.google.com [209.85.216.175]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AEE731A9030 for <OAuth@ietf.org>; Mon, 12 Jan 2015 05:21:16 -0800 (PST)
Received: by mail-qc0-f175.google.com with SMTP id p6so17836014qcv.6 for <OAuth@ietf.org>; Mon, 12 Jan 2015 05:21:15 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=96Ant6HXcEQQTUZ87vXX8NJlJ2pDiofkWgUgB0/In+8=; b=BXt0UsdjISn3fwy3JLLFHjPA2vi7fvlGl2ztGhzdd/CsQiS8UkG1hiswHWmy0dkSgW N36/mgQnmRuVi2QOs8QtQImjKd/oNiVKFP+exquPOITUFaHNAvIlGUWWe66dJNG9yRWr ueDAk4UcvAL5W96tuBzxth6y4uxcq+41rxXUv3bUfCCmxU6fpSxNOP/J3l3YuYQFVgKn GKnKC2NEaN2QnZm/LezBgU+Jz9tGMm4b6uhS7br+pVmwK4mikr1EiU3StXoHI76+7E1E LH0gIi2AdmKH+1Og8rynNm2XH9sgc5lbAoFlEWaH/iVUED8tPgJRsRd1p9QaDm7lDor3 BWWw==
X-Gm-Message-State: ALoCoQn1QhJ+vm9Go0+R9q8sE77wbqSPPXnPVmbaXz2jOjtGj6qzGD+KYiHHH5E4rHA2byodGDGz
X-Received: by 10.140.31.163 with SMTP id f32mr46113108qgf.23.1421068875707; Mon, 12 Jan 2015 05:21:15 -0800 (PST)
Received: from [192.168.8.100] ([186.65.243.75]) by mx.google.com with ESMTPSA id p69sm14710504qga.27.2015.01.12.05.21.13 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 12 Jan 2015 05:21:14 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_56A6D209-E275-4F88-ADD8-62410D6919C1"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <002401d02e69$43284220$c978c660$@gmail.com>
Date: Mon, 12 Jan 2015 10:21:09 -0300
Message-Id: <4CB069B6-093D-44A4-A0CC-82AE0E637285@ve7jtb.com>
References: <002401d02e69$43284220$c978c660$@gmail.com>
To: Brock Allen <brockallen@gmail.com>
X-Mailer: Apple Mail (2.1993)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/ZWVWcL0T0H5aCXhUS9SzF0d9Ryg>
Cc: OAuth@ietf.org
Subject: Re: [OAUTH-WG] session status change notification questions
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jan 2015 13:21:20 -0000

If you are talking about this spec http://openid.net/specs/openid-connect-session-1_0.html <http://openid.net/specs/openid-connect-session-1_0.html>,  then the correct list for questions is the openid Connect one at http://lists.openid.net/mailman/listinfo/openid-specs-ab <http://lists.openid.net/mailman/listinfo/openid-specs-ab>.

Session management is not currently a OAuth WG document.

John B.

> On Jan 12, 2015, at 10:11 AM, Brock Allen <brockallen@gmail.com> wrote:
> 
> A couple of questions about the session management spec related to the status change notifications (section 4): 
>  
> 1) Is there a working reference implementation of the JavaScript that goes with the current draft of the spec?
>  
>  
> 2) For the statement from section 4.2: “The OP iframe MUST enforce that the caller has the same origin as its parent frame.” I’m uncertain how to do this in the OP iframe, given that it seems to be a cross-origin security concern to ascertain the origin of the parent window. I don’t think ‘referrer’ is the most reliable approach.
>  
>  
> 3) The spec states that the OP iframe and the RP iframe should be both contained within the main RP window (so the iframes are siblings). Is there a reason the RP iframe can’t contain the OP iframe?
>  
> If it can, then this would address my question #2 above, as the source.window (on the message event args) can be compared to the parent.window to ensure that only the parent is sending the messages.
>  
>  
> Thanks.
>  
> -Brock
>  
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>