Azure Active Directory session_state

2
votes

I'm using Azure Active Directory to authenticate my users and this is the url that I redirect the users to:

https://login.windows.net/common/oauth2/authorize?response_type=id_token&redirect_uri=https%3A%2F%2Ftest.com%2F&client_id=CB08A120-12BD-11E4-8143-DA6DD34483DE&scope=openid&response_mode=form_post&nonce=50b4146c-585c-49e5-a78e-56d9685c56f2

The response I get comes in the form of a post and has these two parameters:

id_token=*
session_state=*

However, I'm not exactly sure what session_state is. I've tried looking through the documentation, but can't seem to find a good answer. The places where I've found session_state in the documentation are here and here, but neither one helped very much. Is the session_state something I should be persisting in a cookie and sending to each future request to Azure? Or what is its purpose and the proper way to handle it?

1
azureazure-active-directory

1 Answers

7
votes

It identifies an authenticated session at the Azure AD STS.

After the first interactive sign-in, if you re-issue your OpenIDConnect SSO request, the user wont be prompted to sign-in again - yet your app will get back a fresh token, but the sessions_state will be the same as in the previous response. However in your SSO request if you add &prompt=login, the user will be prompted to login again, and this time the sessions_state you will get back will be different.

Most applications will just ignore the value - the ones that want to track that the user indeed re-authenticated will care.

Hope this helps.