This topic documents instructions on how to test the OpenID Connect session management feature with the WSO2 Playground sample application as the Relying Party (RP) with WSO2 Identity Server as the OpenID Connect Provider (OP). See Configuring OpenID Connect Single Logout for more information.
- In order to test the OpenID Connect session management feature, you need to have a relying party (RP) implementation. You can use either of the following options for this:
- The example pseudo-code for the RP iframe provided in the official specification
The WSO2 Identity Server Playground sample application. Expand the section below to set up.Setting up the sample
Deploy two relying party applications. To do this, make a copy of the playground2.war file that was generated when you set up the sample webapp, and rename it as "playground3.war".
Registering the relying party applications
- Start the IS server and login to the management console.
- Add a new service provider named "playground2" and click Register.
- Expand the Inbound Authentication Configuration section and then the OAuth/OpenID Connect Configuration and click Configure.
For more information, see Configuring OAuth2-OpenID Connect.
Enter http://localhost:8080/playground2/oauth2client as the callback URL and click Update.
At this point, you will see the client key and client secret. Note these values as you will need them later in this process.
- Repeat steps 1-4 and register a service provider named as "playground3".
Testing session management with WSO2 Playground
- Access the following URL and click on Import Photos:http://localhost:8080/playground2/
- Enter the following values and click Authorize.
- Authorization Grant Type: Authorization Code (with this sample you can test OIDC only for the Authorization Code flow)
- Client Id: Enter the client ID of the registered playground2 application
- Scope: openid
- Callback URL: http://localhost:8080/playground2/oauth2client
- Authorize Endpoint:https://localhost:9443/oauth2/authorize
- Logout Endpoint:https://localhost:9443/oidc/logout
- Session Iframe Endpoint:https://localhost:9443/oidc/checksession?client_id=<clientID of playground2 application>
Login with the user credentials and click Approve Always at the consent page.
To avoid errors during execution, select the Approve Always option.
- Once it is successfully authenticated, the OP will redirect back to the client application with the authorization code and the session state. You can see this in the logs of the console, as seen below.
- Enter the following values and click Get Access Token to receive the ID token and access token.
- You will receive the access token. You can also enter the UserInfo Endpoint as https://localhost:9443/oauth2/userinfo?schema=openid to use the received access token to obtain user claims if needed.
- Access the following URL on a separate window of the browser, and click on Import Photos:http://localhost:8080/playground3/
Repeat steps 7-9 to invoke the playground3 application.
Once you receive the authorization code for the playground3 app, open the browser console of the playground2 app. You will see that the RP iframe of playground2 has initiated a passive authentication request as the session state changed. Since the response has been received, the app will update it’s session state value and keep polling the OP iframe again.
- Go back to the browser window of the playground3 app, and click Logout. Click Approve when prompted for consent.
- Go back to the browser window of the playground2 app. You will see that the home page has loaded. If you check the console logs, you will note that the the playground2 app’s RP iframe has initiated a passive authentication request and has received an error since the end user session has ended. This means the app has successfully handled this as a single logout scenario.