Search code examples
oauth-2.0openidopenid-connectwso2-identity-server

Session ID for OpenID Connect

Our company's application will have centralized authentication. No authentication or user accounts maintained in either App 1 or App 2, all are handled in Identity Server. You need company's account to have app 1 or app 2. enter image description here

I think id_token is more than enough as session ID but from my understanding, it is preferable not to expose id_token outside the server if possible for tighter security. How should I issue the session_id, what's the ideal way of session management for this case? I am using WSO2 Identity Server

Solution

  • Session management, this is a trait most commonly associated with web applications so I'll assume that's what App 1 and 2 are. You may find this article (Single Sign-On for Regular Web Apps an interesting read, in particular the section on session management.

    When talking about managing sessions, there are typically three layers of sessions we need to consider:

    • Application Session
    • Auth0 (Federation Provider)1 session
    • Identity Provider session

    1 This would be applicable to you if you planned on having your authentication server further delegate the authentication to additional identity provider like Google or Facebook.

    Personally, I would not use the ID token as the session identifier and instead use a shorter ID and keep the session state server-side.

    However, the ID token is meant to be provided to a client applications as a way to supply them with information about an authentication operation. Here, client application refers to the role of the application and not its deployment characteristics so you can have client applications that live only on the server world or outside of it in end-user devices/computers.

    The previous implies that having ID tokens cross the server-side boundary is completely okay and that your intentions of using it as the session cookie value is fine.

    Do have in mind that both cookies and ID tokens have the notion of expiration so having the token inside a cookie may be kind of confusing. You either need to keep expiration in sync (duplication) or ignore one and make sure that everyone knows which one is being ignored (everyone might even mean you three months from now).