Session management
The OIDC session management 1.0 draft series defines a mechanism for a relying party (RP) to:
-
Get an OpenID provider (OP) to confirm whether an OIDC session is valid based on an ID token.
-
Terminate an end user session with the OP; for example, when the user signs out.
The process is transparent to the end user.
An RP uses a hidden <iframe> to get the session state from the OP and take action when the state changes.
PingOne Advanced Identity Cloud supports these drafts of the specification:
Each version uses different endpoints to achieve the same result.
Session management draft 10
Draft 10 does not specify any session-related endpoints. PingOne Advanced Identity Cloud’s implementation of Draft 10 depends on these endpoints:
- /oauth2/authorize
-
Retrieve session state.
- /json/sessions
-
Terminate an end user session.
Draft 10 flow
To check session state, create an <iframe> in your RP
whose src attribute targets the /oauth2/authorize endpoint with the required parameters.
The user-agent sends the tenant session cookie with the request.
For example, a public client RP called myClient uses the following <iframe src> URL to request session state:
https://<tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/authorize \
?client_id=myClient \
&response_type=none \
&id_token_hint=<id-token> \
&redirect_uri=https://www.example.com:443/callback \
&prompt=noneThe query string parameters include these settings:
prompt=none-
Do not display user interaction pages to the end user.
id_token_hint=<id-token>-
The ID token to validate against the end user’s session.
response_type=none-
Do not issue a token in the response.
The following table lists the responses:
| PingOne Advanced Identity Cloud responses | Request with redirect_uri |
Request without redirect_uri |
|---|---|---|
Valid session |
Redirect to |
Return HTTP 204 No Content. |
Invalid session |
Redirect to |
Return HTTP 400 Bad Request and redirect to a page that displays a message such as
|
The RP’s <iframe> and the redirect_uri page must process any errors;
for example, by redirecting the end user to sign in.
Enable draft 10 support
To enable draft 10 support for a realm, configure the OAuth 2.0 provider:
-
Under Native Consoles > Access Management, go to Realms > Realm Name > Services > OAuth2 Provider.
-
Switch to the Advanced tab and add
none|org.forgerock.oauth2.core.NoneResponseTypeHandlerto the Response Type Plugins settings. -
Save your changes.
To enable draft 10 support in the RP client profile:
-
In the Advanced Identity Cloud admin UI, go to Applications > Client ID > Sign On > General Settings > Show advanced settings.
-
In Access > Response Types, add
none. -
Save your changes.
Session management draft 05
Draft 05 defines two endpoints for session management. These endpoints are no longer present in draft 10:
- /oauth2/connect/checkSession
-
Retrieve session state.
- /oauth2/connect/endSession
-
Terminate an end user session and redirect to a post-logout page.
Enable draft 05 support
The /oauth2/connect/checkSession endpoint serves as the check_session_iframe URL.
To enable draft 05 support in the RP client profile:
-
In the Advanced Identity Cloud admin UI, go to Applications > Client ID > Sign On > General Settings > Show advanced settings.
-
In Session Management > Client Session URI, add the URL the RP uses as the
<iframe src>URL. -
Save your work.
Disable session management
By default, the PingOne Advanced Identity Cloud OP supports draft 05 without additional configuration.
To disable session management support for a realm, configure the OAuth 2.0 provider:
-
Under Native Consoles > Access Management, go to Realms > Realm Name > Services > OAuth2 Provider > Advanced OpenID Connect.
-
Clear Enable Session Management.
-
Save your changes.
This also disables backchannel logout.