我将Ory Hydra作为 OAuth 2.0 / OpenID 提供者运行。
我想组合一个解决方案,以便中继方可以检查最终用户的 OpenID 会话状态。他们是否登录、注销等。OpenID 规范有一个使用此处指定的 iframe 的解决方案。我在此解决方案中遇到的主要问题在此处的 OpenID Connect 会话管理规范的第 5.1 节中进行了描述:
Note that at the time of this writing, some User Agents (browsers) are starting to block access to third-party content by default to block some mechanisms used to track the End-User's activity across sites.
Specifically, the third-party content being blocked is website content with an origin different that the origin of the focused User Agent window.
Site data includes cookies and any web storage APIs (sessionStorage, localStorage, etc.).
This can prevent the ability for notifications from the OP at the RP from being able to access the RP's User Agent state to implement local logout actions.
In particular, cookies and web storage APIs may not be available in the OP frame loaded in the RP context. The side effect here is that, depending on the used mechanism (cookies or web storage), the data needed to recalculate session_state might not be available.
Cookie based implementations might then return changed for every single call, resulting in infinite loops of re-authentications.
Therefore, deployments of this specification are recommended to include defensive code to detect this situation, and if possible, notify the End-User that the requested RP logouts could not be performed.
The details of the defensive code needed are beyond the scope of this specification; it may vary per User Agent and may vary over time, as the User Agent tracking prevention situation is fluid and continues to evolve.
是否有另一种方法可以在不使用 iframe 实现的情况下查看最终用户是否具有 OpenID 会话?