What is sid claim in logout token in OpenID Connect Back-channel logout? -
i'm working on project related openid connect back-channel logout. need include sid claim in logout token mentioned in specification.
sid- optional. session id - string identifier session. represents session of user agent or device logged-in end-user @ rp. different sid values used identify distinct sessions @ op. sid value need unique in context of particular issuer. contents opaque rp. syntax same oauth 2.0 client identifier.
from explanation sid, have confusions whether tells session-id of end-user @ rp or session-id of rp @ op.
thanks in advance.
sid = unique identifier of session of end user on particular device/user agent, etc. suppose logged-in android phone in game app , game app uses openid , authenticates either facebook or google. game app launches user agent , connects openid provider. here authentication happens , app gets id token (which contains sid). game app requests user claims openid provider , creates session on device sends user information create session on game app server(rp here) well.
now suppose logged app on same phone or different phone , did same thing. logged 2 different apps has own sessions having 2 session @ op. how op distinguish session kill. if no sid there, kill sessions , sid there, session can killed.
this simplest explanation can give. else how achieved.
Comments
Post a Comment