https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32354 --- Comment #4 from David Cook <dcook@prosentient.com.au> --- (In reply to Tomás Cohen Arazi from comment #3)
We need to document it better. Understand if the param name is standard, if it needs to be carried around in responses as well, etc.
I'm not 100% sure what you mean, but I think I agree. I've got a deadline tomorrow, but I'm hoping to look at this in December. I'll be testing with Keycloak. That said, from what I've read so far at https://openid.net/specs/openid-connect-session-1_0.html, it looks like the session_state is just used by optional client side iframes for checking the user's session status with the IdP. So I think we can accept session_state in the IdP's AuthN response without actually supporting OIDC session management ourselves. -- You are receiving this mail because: You are watching all bug changes.