Add initial doc for session management.

docs/index.rst

@@ -5,6 +5,8 @@ This tiny (but powerful!) package can help you providing out of the box all the
 
 Also implements the following specifications:
 
+* `OpenID Connect Discovery 1.0 <https://openid.net/specs/openid-connect-discovery-1_0.html>`_
+* `OpenID Connect Session Management 1.0 <https://openid.net/specs/openid-connect-session-1_0.html>`_
 * `OAuth 2.0 for Native Apps <https://tools.ietf.org/html/draft-ietf-oauth-native-apps-01>`_
 * `Proof Key for Code Exchange by OAuth Public Clients <https://tools.ietf.org/html/rfc7636>`_
 
@@ -30,6 +32,7 @@ Contents:
    sections/userconsent
    sections/oauth2
    sections/accesstokens
+   sections/sessionmanagement
    sections/settings
    sections/examples
    sections/contribute

docs/sections/sessionmanagement.rst

@@ -0,0 +1,67 @@
+.. _sessionmanagement:
+
+Session Management
+##################
+
+The `OpenID Connect Session Management 1.0 <https://openid.net/specs/openid-connect-session-1_0.html>`_ specification complements the core specification by defining how to monitor the End-User's login status at the OpenID Provider on an ongoing basis so that the Relying Party can log out an End-User who has logged out of the OpenID Provider.
+
+
+Setup
+=====
+
+Somewhere in your Django ``settings.py``::
+
+    MIDDLEWARE_CLASSES = [
+        ...
+        'oidc_provider.middleware.SessionManagementMiddleware',
+    ]
+
+    OIDC_SESSION_MANAGEMENT_ENABLE = True
+
+Example RP iframe
+=================
+
+::
+
+    <!DOCTYPE html>
+    <html>
+    <head>
+        <meta charset="ISO-8859-1">
+        <title>RP Iframe</title>
+    </head>
+    <body onload="javascript:startChecking()">
+        <iframe id="op-iframe" src="http://localhost:8000/check-session-iframe/" frameborder="0" width="0" height="0"></iframe>
+    </body>
+    <script>
+        var targetOP = "http://localhost:8000";
+
+        window.addEventListener("message", receiveMessage, false);
+
+        function startChecking() {
+                  checkStatus();
+                  setInterval('checkStatus()', 1000*60); // every 60 seconds
+        }
+
+        function checkStatus() {
+                  var clientId = '';
+                  var sessionState = '';
+                  var data = clientId + ' ' + sessionState;
+                  document.getElementById('op-iframe').contentWindow.postMessage(data, targetOP);
+        }
+
+        function receiveMessage(event) {
+            if (event.origin !== targetOP) {
+                // Origin did not come from the OP.
+                return;
+            }
+            if (event.data === 'unchanged') {
+                // User is still logged in to the OP.
+            } else if (event.data === 'changed') {
+                // Perform re-authentication with prompt=none to obtain the current session state at the OP.
+            } else {
+                // Error.
+                console.log('Something goes wrong!');
+            }
+        }
+    </script>
+    </html>

docs/sections/settings.rst

@@ -52,7 +52,6 @@ Used to add extra scopes specific for your app. OpenID Connect RP's will use sco
 
 Read more about how to implement it in :ref:`scopesclaims` section.
 
-
 OIDC_IDTOKEN_EXPIRE
 ===================
 
@@ -92,6 +91,13 @@ Default is::
 
         return str(user.id)
 
+OIDC_SESSION_MANAGEMENT_ENABLE
+==============================
+
+OPTIONAL. ``bool``. Enables OpenID Connect Session Management 1.0 in your provider. Read :ref:`scopesclaims` section.
+
+Default is ``False``.
+
 OIDC_SKIP_CONSENT_ALWAYS
 ========================
 
@@ -123,7 +129,7 @@ Expressed in seconds. Default is ``60*60``.
 OIDC_USERINFO
 =============
 
-OPTIONAL. ``str``. A string with the location of your function. Read **Standard Claims** section.
+OPTIONAL. ``str``. A string with the location of your function. Read :ref:`scopesclaims` section.
 
 The function receives a ``claims`` dictionary with all the standard claims and ``user`` instance. Must returns the ``claims`` dict again.