The check_session_iframe (OpenID Connect Session Management 1.0 §3.3).
Serves the OP iframe an RP embeds (invisibly) to poll the End-User's login
state at the OP without network traffic. The RP's own iframe posts
client_id + " " + session_state here (§3.1); this page's script recomputes
the session_state from the message's client_id, the sender's origin
(MessageEvent.origin — so a message from the wrong origin can never
compare equal), the current OP browser-state cookie, and the salt carried in
the received value, then posts back exactly one of (§3.2):
unchanged— the recomputed value equals the received one;changed— it does not (the user logged out, or the state rotated);error— the message is syntactically malformed.
The computation is the mirror image of Attesto.SessionState.compute/4
(lowercase-hex SHA-256 over client_id <> " " <> origin <> " " <> opbs <> " " <> salt, dot, salt); the hash runs on crypto.subtle, which is always
available here because the page is served from the OP's HTTPS origin. The
browser-state cookie is the JavaScript-readable cookie maintained by the
authorization endpoint (set at login) and the end-session endpoint (expired
at logout) — see AttestoPhoenix.BrowserState.
The page embeds no per-user data (the cookie is read client-side at message
time), so it is served cacheable like the discovery document. It is mounted
by AttestoPhoenix.Router's session_management: true option and answers
404 unless the host enabled session_management: [enabled: true], so a
mounted-but-unconfigured route never advertises a capability that is off.
Summary
Functions
@spec show(Plug.Conn.t(), map()) :: Plug.Conn.t()