Invoking the Session Management Endpoint for OpenID Connect
The session management endpoint enables OpenID Connect Relying Parties to monitor the login status of a user with a particular OpenID Connect Provider (OP) while minimizing network traffic. With the help of the session management endpoint, a Relying Party (RP) can log out a user who logged out of the OpenID Connect Provider.
Before you begin
About this task
To help determine the login status of a user, the RP loads an iframe with its src target set to the session management endpoint of the OP. The session management endpoint has access to a cookie that stores the login status, or browser state, of a user. This browser state cookie is updated when a user logs out of the OP. The RP can then use client side scripting to invoke the Window.postMessage() function of the OP iframe, sending the client ID and the currently known session state in the text of the message. If the RP receives a postMessage back from the OP frame with a value of changed, then the login status of the user at the OP has changed and the RP can decide whether to log out the user. If a value of unchanged is returned, the user is still logged in at the OP.
A Liberty server with OpenID Connect enabled has access to the OpenID Connect session management endpoint at the following URL:
https://server.example.com:443/oidc/endpoint/<provider_name>/check_session_iframe
If you must use a proxy to access the OpenID Connect Provider (OP), the value that you enter for any OP-related URL property must contain the proxy host and port, not the external OP host and port.
In most cases, you can replace the OP host and port with the proxy host and port. The URL that you enter must be visible to both the RP and client (browser or application). For further guidance on how to determine the correct URL to use, contact your proxy administrator.
In this example, the client expects the SSL port to be set to 443.
Procedure
Results
Example
The following HTML example shows a complete HTML page that uses OpenID Connect Session Management. The src attribute of the OP iframe is set to the session management endpoint URL obtained from the OP. The startChecking() function is automatically called every 60 seconds and checks the login status of the user. The page has a message event listener that calls the receiveMessage() function when a postMessage is received. This function makes sure the postMessage comes from the expected domain for the OP and checks the value of the returned message to see whether the login status of the user is changed or unchanged.
<!DOCTYPE html>
<html>
<head>
<meta charset="ISO-8859-1">
<title>iFrame RP Page</title>
</head>
<body onload="javascript:startChecking()">
<iframe id="iframeOP" src="https://localhost:8999/oidc/endpoint/OidcConfigSample/check_session_iframe" frameborder="0" width="0" height="0"></iframe>
</body>
<script>
var targetOP = "https://server.example.com:443";
window.addEventListener("message", receiveMessage, false);
function startChecking() {
checkStatus();
// Check status every 60 seconds
setInterval("checkStatus()", 1000*60);
}
function getCookieValue(cookieName) {
var name = cookieName + "=";
var cookies = document.cookie.split(';');
if (!cookies) {
return null;
}
for (var i = 0; i < cookies.length; i++) {
var cookie = cookies[i].trim();
if (cookie.indexOf(name) == 0) {
return cookie.substring(name.length, cookie.length);
}
}
return null;
}
function checkStatus() {
var client = "client01";
var sessionState = getCookieValue("session_state");
var text = client + " " + sessionState;
var iframe = document.getElementById("iframeOP");
iframe.contentWindow.postMessage(text, targetOP);
}
function receiveMessage(event) {
if (event.origin !== targetOP) {
// Origin did not come from the OP; this message must be rejected
return;
}
if (event.data === "unchanged") {
// User is still logged in to the OP
} else {
// User has logged out of the OP
}
}
</script>
</html>