The OpenID Connect Session Management specification, provides a way for a Relying Party (RP) to monitor the login status of an end user with an OpenID Connect Provider (OP) so that the RP application can log-out any end users that have logged out of the OP (i.e., the WSO2 Identity Server). For instance, if there are two RP applications relying on WSO2 Identity Server, when an end user logs-out of one of the applications, he/she can be automatically logged out of the other one as well.
How it works
OpenID Connect session management works with two hidden iframes, one at the RP and the other at the OP. The relying party checks the session state by using the RP iframe to continuously poll a hidden OP iframe, without causing network traffic. Thereby, the RP is notified when the session state of the end-user has changed. The flow of this is as follows.
- The RP iframe polls the OP iframe for a session status.
- The OP iframe sends back a post message about the session state as 'changed, 'unchanged' or 'error'.
- If the session state is 'changed', the RP sends a passive request for re-authentication.
- If the end user has logged out from the OP, the RP will receive an authentication failure message along with a new session state value. The RP handles this as a end user logout.
- If the end user has not logged out, the RP will receive a successful authentication response along with a new session state value.