OpenID Connect Sessn Mgmt

Issue/Topic: OpenID Connect Session Management

Session: Wednesday 1I

Conference: IIW-11 November 2-4, Mountain View, Complete Notes Page

Convener: Breno de Medeiros

Notes-taker(s): Breno de Medeiros

Tags:

OpenID Connect Session Management

Discussion notes:


 * Discussed the authorization flow for OpenIDConnect
 * Discussed the non-crypto authentication mechanism based on UserInfo endpoint
 * Discussed the crypto-based authentication relying on signed JSON tokens
 * Discussed the session management lifecycle by extending the lifetime of tokens or invalidating them

Topics for further discussion:


 * Invalidation and Revalidation of tokens: If and How the Client should signal which session to extend/validate to the Server
 * Validity duration of encapsulated Oauth token for API access to APIs other than the UserInfo endpoint
 * More detail about how specific Oauth authorization profiles (e.g., User Agent vs. WebServer flow) operate
 * Error responses
 * Immediate vs. user-interactive modes