AttestoPhoenix.Controller.CheckSessionController (AttestoPhoenix v1.1.0)

Copy Markdown View Source

The check_session_iframe (OpenID Connect Session Management 1.0 §3.3).

Serves the OP iframe an RP embeds (invisibly) to poll the End-User's login state at the OP without network traffic. The RP's own iframe posts client_id + " " + session_state here (§3.1); this page's script recomputes the session_state from the message's client_id, the sender's origin (MessageEvent.origin — so a message from the wrong origin can never compare equal), the current OP browser-state cookie, and the salt carried in the received value, then posts back exactly one of (§3.2):

  • unchanged — the recomputed value equals the received one;
  • changed — it does not (the user logged out, or the state rotated);
  • error — the message is syntactically malformed.

The computation is the mirror image of Attesto.SessionState.compute/4 (lowercase-hex SHA-256 over client_id <> " " <> origin <> " " <> opbs <> " " <> salt, dot, salt); the hash runs on crypto.subtle, which is always available here because the page is served from the OP's HTTPS origin. The browser-state cookie is the JavaScript-readable cookie maintained by the authorization endpoint (set at login) and the end-session endpoint (expired at logout) — see AttestoPhoenix.BrowserState.

The page embeds no per-user data (the cookie is read client-side at message time), so it is served cacheable like the discovery document. It is mounted by AttestoPhoenix.Router's session_management: true option and answers 404 unless the host enabled session_management: [enabled: true], so a mounted-but-unconfigured route never advertises a capability that is off.

Summary

Functions

show(conn, params)

@spec show(Plug.Conn.t(), map()) :: Plug.Conn.t()