使用ORY Hydra进行OpenID会话管理

Question

我将Ory Hydra作为OAuth 2.0 / OpenID提供程序运行。

我想组合一个解决方案，以便中继方可以检查最终用户的OpenID会话状态。他们是否登录、注销等。OpenID规范有一个使用iframe指定的here的解决方案。我在此解决方案中遇到的主要问题在OpenID连接会话管理规范here的5.1节中进行了描述

Note that at the time of this writing, some User Agents (browsers) are starting to block access to third-party content by default to block some mechanisms used to track the End-User's activity across sites. 
Specifically, the third-party content being blocked is website content with an origin different that the origin of the focused User Agent window. 
Site data includes cookies and any web storage APIs (sessionStorage, localStorage, etc.).

This can prevent the ability for notifications from the OP at the RP from being able to access the RP's User Agent state to implement local logout actions. 
In particular, cookies and web storage APIs may not be available in the OP frame loaded in the RP context. The side effect here is that, depending on the used mechanism (cookies or web storage), the data needed to recalculate session_state might not be available. 
Cookie based implementations might then return changed for every single call, resulting in infinite loops of re-authentications. 
Therefore, deployments of this specification are recommended to include defensive code to detect this situation, and if possible, notify the End-User that the requested RP logouts could not be performed. 
The details of the defensive code needed are beyond the scope of this specification; it may vary per User Agent and may vary over time, as the User Agent tracking prevention situation is fluid and continues to evolve.

有没有其他方法可以在不使用iframe实现的情况下查看最终用户是否有OpenID会话？

Answer 1

您始终可以使用访问令牌询问令牌自检端点，以查看访问令牌是否仍然有效。使用这种方法，您可以避免使用iframe。作为替代方案，您可以使用短期访问令牌，并使用刷新令牌来获取新的访问令牌。对于大多数情况，这可能是一个合适的折衷方案。

请参阅令牌内省here的规范，该tutorial也是一个很好的起点

在调用此端点的响应中，您应该发现一个active字段，如果用户仍在登录，则应将该字段设置为true。

说明书上写着：

需要

active。当前显示的令牌是否处于活动状态的布尔型指示符。令牌的“活动”状态的细节将根据授权服务器的实现和它保留的关于其令牌的信息而变化，但是“活动”属性的“真”值返回通常将指示给定的令牌已经由该授权服务器发布，没有被资源所有者撤销，并且在其给定的有效时间窗口内(例如，在其发布时间之后和在其到期时间之前)。