I have a situation where I have an RP that does not explicitly require you to enter it. However, I looked at the session management specification for Open ID Connect, or rather the draft check_session_iframe endpoint specification in draft form here
I was wondering if the following scenario is possible. I have an RP that uses client x to federate on my OP. Is it possible that I can see if the client (x) is signed into the OP, even if you do not have a session identifier (or sid ). In other words, it is possible for the application to see if you have a session with the OP so that you are not forced to call a sign against the OP.
The main thread I want to satisfy for UX reasons is
1) go to RP.
2) check if the RP has a session with the OP.
3) - If there is a session, then autorun (without initiating a thread)
- If the session is absent, do nothing (i.e. do not need to request a login).
Is something like this possible? I understand that you can get session information if you were previously signed up (using session_state and client_id )
I looked at IdentityServer3.Samples, or rather a client sample, which shows how you can check the session state here , however this example seems to show how it can check the session state after logging in. I want to know if it is possible to check if the client currently has a session before the RP explicitly requests entry.
source share