Add initial doc for session management.

This commit is contained in:
Ignacio Fiorentino 2016-10-28 16:56:06 -03:00
parent b442dbf979
commit d9149b162d
3 changed files with 78 additions and 2 deletions

View file

@ -5,6 +5,8 @@ This tiny (but powerful!) package can help you providing out of the box all the
Also implements the following specifications: Also implements the following specifications:
* `OpenID Connect Discovery 1.0 <https://openid.net/specs/openid-connect-discovery-1_0.html>`_
* `OpenID Connect Session Management 1.0 <https://openid.net/specs/openid-connect-session-1_0.html>`_
* `OAuth 2.0 for Native Apps <https://tools.ietf.org/html/draft-ietf-oauth-native-apps-01>`_ * `OAuth 2.0 for Native Apps <https://tools.ietf.org/html/draft-ietf-oauth-native-apps-01>`_
* `Proof Key for Code Exchange by OAuth Public Clients <https://tools.ietf.org/html/rfc7636>`_ * `Proof Key for Code Exchange by OAuth Public Clients <https://tools.ietf.org/html/rfc7636>`_
@ -30,6 +32,7 @@ Contents:
sections/userconsent sections/userconsent
sections/oauth2 sections/oauth2
sections/accesstokens sections/accesstokens
sections/sessionmanagement
sections/settings sections/settings
sections/examples sections/examples
sections/contribute sections/contribute

View file

@ -0,0 +1,67 @@
.. _sessionmanagement:
Session Management
##################
The `OpenID Connect Session Management 1.0 <https://openid.net/specs/openid-connect-session-1_0.html>`_ specification complements the core specification by defining how to monitor the End-User's login status at the OpenID Provider on an ongoing basis so that the Relying Party can log out an End-User who has logged out of the OpenID Provider.
Setup
=====
Somewhere in your Django ``settings.py``::
MIDDLEWARE_CLASSES = [
...
'oidc_provider.middleware.SessionManagementMiddleware',
]
OIDC_SESSION_MANAGEMENT_ENABLE = True
Example RP iframe
=================
::
<!DOCTYPE html>
<html>
<head>
<meta charset="ISO-8859-1">
<title>RP Iframe</title>
</head>
<body onload="javascript:startChecking()">
<iframe id="op-iframe" src="http://localhost:8000/check-session-iframe/" frameborder="0" width="0" height="0"></iframe>
</body>
<script>
var targetOP = "http://localhost:8000";
window.addEventListener("message", receiveMessage, false);
function startChecking() {
checkStatus();
setInterval('checkStatus()', 1000*60); // every 60 seconds
}
function checkStatus() {
var clientId = '';
var sessionState = '';
var data = clientId + ' ' + sessionState;
document.getElementById('op-iframe').contentWindow.postMessage(data, targetOP);
}
function receiveMessage(event) {
if (event.origin !== targetOP) {
// Origin did not come from the OP.
return;
}
if (event.data === 'unchanged') {
// User is still logged in to the OP.
} else if (event.data === 'changed') {
// Perform re-authentication with prompt=none to obtain the current session state at the OP.
} else {
// Error.
console.log('Something goes wrong!');
}
}
</script>
</html>

View file

@ -52,7 +52,6 @@ Used to add extra scopes specific for your app. OpenID Connect RP's will use sco
Read more about how to implement it in :ref:`scopesclaims` section. Read more about how to implement it in :ref:`scopesclaims` section.
OIDC_IDTOKEN_EXPIRE OIDC_IDTOKEN_EXPIRE
=================== ===================
@ -92,6 +91,13 @@ Default is::
return str(user.id) return str(user.id)
OIDC_SESSION_MANAGEMENT_ENABLE
==============================
OPTIONAL. ``bool``. Enables OpenID Connect Session Management 1.0 in your provider. Read :ref:`scopesclaims` section.
Default is ``False``.
OIDC_SKIP_CONSENT_ALWAYS OIDC_SKIP_CONSENT_ALWAYS
======================== ========================
@ -123,7 +129,7 @@ Expressed in seconds. Default is ``60*60``.
OIDC_USERINFO OIDC_USERINFO
============= =============
OPTIONAL. ``str``. A string with the location of your function. Read **Standard Claims** section. OPTIONAL. ``str``. A string with the location of your function. Read :ref:`scopesclaims` section.
The function receives a ``claims`` dictionary with all the standard claims and ``user`` instance. Must returns the ``claims`` dict again. The function receives a ``claims`` dictionary with all the standard claims and ``user`` instance. Must returns the ``claims`` dict again.