OpenID Connect session managmen, GLUU seems to be incompatible with draft

GluuFederation / oxAuth

OAuth 2.0 server and client; OpenID Connect Provider (OP) & UMA Authorization Server (AS)

https://gluu.org/docs/ce

MIT License

424 stars 151 forks source link

OpenID Connect session managmen, GLUU seems to be incompatible with draft #103

Closed mgrzybowski closed 8 years ago

mgrzybowski commented 8 years ago

Hi I performed some tests wth GLUU (2.4.0-2) as OpenID Connect OP and apache mod-auth-openidc (1.8.6-1ubuntu1~trusty+1) as client. It seems that session managment is not fully implemented. Please find more details about this issue in https://github.com/pingidentity/mod_auth_openidc/issues/109 .

zandbelt commented 8 years ago

it seems that the GLUU server is returning session_id as part of the authorization response, where it should be session_state according to the spec: http://openid.net/specs/openid-connect-session-1_0.html#CreatingUpdatingSessions

nynymike commented 8 years ago

Yes, session_state is being returned with another parameter name, session_id We will try to get this into 2.4.1 release (target release next week), but it may not make the deadline in which case it would be in 2.4.2 (year end).