Subject session store API

1. Introduction

In order to facilitate Single Sign-On (SS0) the Connect2id server maintains a session store to remember authenticated users (subjects) between login requests from client applications. The sessions are stored in memory for speedy access (with optional overflow to disk) and replicated across the entire Connect2id server cluster, where each session object is keyed by a secure unique ID (SID), to be kept as a cookie in the user’s browser.

A new session is implicitly created when a subject (user) is logged in for the first time, via the API for handling OpenID Connect authentication (or via the custom API for direct token retrieval).

Sessions expire according to their max lifetime, authentication lifetime and max idle time (whichever occurs first). These values are configured globally, but can also be overridden on a individual basis.

The Connect2id server exposes a RESTful web API, described below, for querying, updating and deleting sessions. This API has a number of good uses:

  • Let auxiliary services and UIs to the IdP, such as a user’s profile and settings page, to share the same session.

  • Logout a user (for a single session or for all sessions that a user has).

  • Store additional data (e.g. UI preferences) in the user’s session.

  • Monitor which users are currently online and in what numbers.

  • Create user sessions independently from the regular OpenID Connect login flows.

Access to the session store API is protected by means of a long-lived token. The token must be passed with each HTTP request in the Authorization header:

Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6

More information can be found in the session store configuration reference.

2. Web API overview

Resources
Representations Errors

3. Resources

3.1 /session-store/rest/v2/sessions

Use this resource to create, retrieve or delete subject (end-user) sessions.

3.1.1 POST

Creates a new subject (end-user) session. Returns 201 and a secure unique identifier for the session (SID) on success. The session is deleted automatically from the store once its max session lifetime, max authentication lifetime or idle time expires (whichever occurs first).

Header parameters:

  • Authorization Must specify the configured bearer access token for this web API.

  • Content-Type Must be set to application/json.

  • [ SID-Key ] Specifies a key for the new session to create (without the HMAC portion). If omitted the session will be automatically assigned a secure randomly generated key (recommended), with an HMAC appended. This option can be used to facilitate migration of sessions between Connect2id server instances.

Body:

  • A JSON object representation of the subject session. The only mandatory member is sub which sets the subject’s (end-user) identifier. All other members are optional, and if omitted will be left empty (acr, amr, data), given an automatic value (auth_time, creation_time), or a default value (max_life, auth_lifemax_idle).

Success:

  • Code: 201

  • SID: The session identifier (SID), to enable referral to the session in subsequent requests.

Errors:

Example request to create a new minimal session for end-user alice. The creation and authentication times will be implicitly set to the current system time.

POST /session-store/rest/v2/sessions HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
Content-Type: application/json

{
  "sub"  : "alice"
}

Example request to create a new session for alice detailing its authentication strength (acr), authentication factors (amr) and additional data:

POST /session-store/rest/v2/sessions HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
Content-Type: application/json

{
  "sub"  : "alice",
  "acr"  : "http://loa.c2id.com/high",
  "amr"  : [ "pwd", "otp" ],
  "data" : { "email"    : "[email protected]",
             "login_ip" : "192.168.0.1" }
}

Example success response returning the identifier for the newly created session in the SID header:

HTTP/1.1 201 Created
SID: Z6WJGYlFRZQwNr6-ZZ85LYKtYHPR_6Q91fw2NRK3xYw

3.1.2 GET

Retrieves an individual subject session, the sessions for a selected subject, or all sessions. The unbounded request can be potentially expensive and should be used sparingly.

If a single session is returned, its last access timestamp will be updated.

Header parameters:

  • Authorization Must specify the configured bearer access token for this web API.

  • [ SID ] The session identifier (SID) to specify an individual session for retrieval. If omitted all sessions will be retrieved, optionally limited to a single subject (see subject query parameter).

Query parameters:

  • [ subject ] {string} Optional query parameter, applies only when the SID header parameter is omitted, to retrieve all sessions for the specified subject.

Success:

  • Code: 200

  • Content-Type: application/json

  • Body: {object} A JSON object representing the individual subject session, or, if all sessions are being retrieved (optionally limited to a particular subject) a JSON object containing the session objects keyed by their session identifier (SID) (empty JSON object if no sessions were found).

Errors:

Example request to retrieve an individual session with the specified SID:

GET /session-store/rest/v2/sessions HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
SID: cg62csZGqGufdeth1eK1HlFqWKkVRmP3YBT5cTl7s0

A matching response detailing the attributes of the requested session:

HTTP/1.1 200 OK
Content-Type: application/json

{
  "sub"           : "alice",
  "auth_time"     : 1400491648,
  "creation_time" : 1400491648
  "max_life"      : 20160,
  "auth_life"     : 10080,
  "max_idle"      : 1440,
  "acr"           : "http://loa.c2id.com/high",
  "amr"           : [ "pwd", "otp" ],
  "data"          : { "email"    : "[email protected]",
                      "login_ip" : "192.168.0.1" }
}

Example request to retrieve all sessions for subject alice:

GET /session-store/rest/v2/sessions?subject=alice HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6

A matching response response returning two sessions for subject alice, keyed by their SIDs:

HTTP/1.1 200 OK
Content-Type: application/json

{
  "Vcg62csZGqGufdeth1eK1HlFqWKkVRmP3YBT5cTl7s0" : {
    "sub"           : "alice",
    "auth_time"     : 1400491648,
    "creation_time" : 1400491648
    "max_life"      : 20160,
    "auth_life"     : 10080,
    "max_idle"      : 1440,
    "acr"           : "http://loa.c2id.com/high",
    "amr"           : [ "pwd", "otp" ],
    "data"          : { "email"    : "[email protected]",
                        "login_ip" : "192.168.0.1" }
  },

  "khHklxYH_1n7fwEK52mOd8pRyP9R2Tt2vw57kGZ9Cjw" : {
    "sub"           : "alice",
    "auth_time"     : 1400568801,
    "creation_time" : 1400568801
    "max_life"      : 20160,
    "auth_life"     : 10080,
    "max_idle"      : 1440,
    "acr"           : "http://loa.c2id.com/high",
    "amr"           : [ "pwd", "otp" ],
    "data"          : { "email"    : "[email protected]",
                        "login_ip" : "192.168.0.2" }
  }
}

3.1.3 DELETE

Deletes one or multiple subject sessions. Has the effect of logging out the associated end-user(s) on the browser / device where they have a session.

Header parameters:

  • Authorization Must specify the configured bearer access token for this web API.

  • [ SID ] The session identifier (SID) to specify an individual session.

Query parameters:

  • [ subject ] {string} Selects all sessions for a subject (end-user) to be deleted. Should not be used together with the SID header parameter.

  • [ all ] {true|false} If set to true causes all sessions to be deleted. Should not be used together with the SID header parameter.

Success:

  • Code: 200

  • Content-Type: application/json

  • Body: {object} A JSON object representing the removed subject session, or, if removal of multiple sessions was requested, a JSON object containing the removed sessions keyed by their session identifier (SID) (empty JSON object if noe sessions were found).

Errors:

Example request to delete a single session with the specified SID:

DELETE /session-store/rest/v2/sessions HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
SID: Vcg62csZGqGufdeth1eK1HlFqWKkVRmP3YBT5cTl7s0

Example response:

HTTP/1.1 200 OK
Content-Type: application/json

{
  "sub"           : "alice",
  "auth_time"     : 1400491648,
  "creation_time" : 1400491648,
  "max_life"      : 20160,
  "auth_life"     : 10080,
  "max_idle"      : 1440,
  "acr"           : "http://loa.c2id.com/high",
  "amr"           : [ "pwd", "otp" ],
  "data"          : { "email"    : "[email protected]",
                      "login_ip" : "192.168.0.1" }
}

Example request to delete all sessions for end-user bob:

DELETE /session-store/rest/v2/sessions?subject=bob HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6

Example response:

HTTP/1.1 200 OK
Content-Type: application/json

{
  "Vcg62csZGqGufdeth1eK1HlFqWKkVRmP3YBT5cTl7s0" : {
    "sub"           : "bob",
    "auth_time"     : 1400491648,
    "creation_time" : 1400491648,
    "max_life"      : 20160,
    "auth_life"     : 10080,
    "max_idle"      : 1440,
    "data"          : { "email"    : "[email protected]",
                        "login_ip" : "192.168.0.2" }
  },

  "khHklxYH_1n7fwEK52mOd8pRyP9R2Tt2vw57kGZ9Cjw" : {
    "sub"           : "bob",
    "auth_time"     : 1400568801,
    "creation_time" : 1400568801,
    "max_life"      : 20160,
    "auth_life"     : 10080,
    "max_idle"      : 1440,
    "data"          : { "email"    : "[email protected]", 
                        "login_ip" : "192.168.0.3" }
  }
}

3.2 /session-store/rest/v2/sessions/subject-auth

This resource enables update of the authentication details for a subject session.

3.2.1 PUT

Updates the subject authentication details of a session. Use this method to record the event of a subject being re-authenticated while preserving their session, possibly with different factors (as indicated by the acr and amr parameters).

The last access timestamp the session will be automatically updated.

Header parameters:

  • Authorization Must specify the configured bearer access token for this web API.

  • SID The session identifier (SID).

  • Content-Type Must be set to application/json.

Body:

  • A JSON object representation of the updated subject authentication. The only mandatory member is sub which must be set to the subject (user) identifier of the session. If the auth_time is omitted the authentication timestamp will be set to the current system time. The optional acr and amr members are used to identify the applicable authentication strength and methods.

Success:

  • Code: 204

Errors:

Example request to step up the authentication details for a session with the specified SID:

PUT /session-store/rest/v2/sessions/subject-auth
/subject-auth HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
SID: Vcg62csZGqGufdeth1eK1HlFqWKkVRmP3YBT5cTl7s0
Content-Type: application/json

{
  "sub" : "alice",
  "acr" : "http://loa.c2id.com/high",
  "amr" : [ "pwd", "otp" ],
}

Example success response, no content is returned:

HTTP/1.1 204 No content

3.3 /session-store/rest/v2/sessions/claims

This resource enables update and deletion of the optional claims associated with a subject’s (end-user’s) session.

3.3.1 PUT

Updates the optional claims of a subject session.

The last access timestamp the session will be automatically updated.

Header parameters:

  • Authorization Must specify the configured bearer access token for this web API.

  • SID The session identifier (SID).

  • Content-Type Must be set to application/json.

Body:

Success:

  • Code: 204

Errors:

Example request to update the claims of a session with the specified SID:

PUT /session-store/rest/v2/sessions/claims HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
SID: Vcg62csZGqGufdeth1eK1HlFqWKkVRmP3YBT5cTl7s0
Content-Type: application/json

{
  "roles"    : [ "admin", "audit" ],
  "login_ip" : "192.168.0.1"
}

Example success response, no content is returned:

HTTP/1.1 204 No content

3.3.2 DELETE

Deletes the optional claims of a subject session.

The last access timestamp the session will be automatically updated.

Header parameters:

  • Authorization Must specify the configured bearer access token for this web API.

  • SID The session identifier (SID).

Success:

  • Code: 204

Errors:

Example request to delete the claims of a session with the specified SID:

DELETE /session-store/rest/v2/sessions/claims HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
SID: Vcg62csZGqGufdeth1eK1HlFqWKkVRmP3YBT5cTl7s0

Example success response, no content is returned:

HTTP/1.1 204 No content

3.4 /session-store/rest/v2/sessions/data

This resource enables update and deletion of the optional data associated with a subject’s (end-user’s) session.

3.4.1 PUT

Updates the optional data of a subject session.

The last access timestamp the session will be automatically updated.

Header parameters:

  • Authorization Must specify the configured bearer access token for this web API.

  • SID The session identifier (SID).

  • Content-Type Must be set to application/json.

Body:

Success:

  • Code: 204

Errors:

Example request to update the data of a session with the specified SID:

PUT /session-store/rest/v2/sessions/data HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
SID: Vcg62csZGqGufdeth1eK1HlFqWKkVRmP3YBT5cTl7s0
Content-Type: application/json

{
  "email"        : "[email protected]",
  "name"         : "Alice Adams"
  "geo_location" : [ 123.123, 456.456 ],
  "timezone"     : "CET"
}

Example success response, no content is returned:

HTTP/1.1 204 No content

3.4.2 DELETE

Deletes the optional data of a subject session.

The last access timestamp the session will be automatically updated.

Header parameters:

  • Authorization Must specify the configured bearer access token for this web API.

  • SID The session identifier (SID).

Success:

  • Code: 204

Errors:

Example request to delete the data of a session with the specified SID:

DELETE /session-store/rest/v2/sessions/data HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
SID: Vcg62csZGqGufdeth1eK1HlFqWKkVRmP3YBT5cTl7s0

Example success response, no content is returned:

HTTP/1.1 204 No content

3.5 /session-store/rest/v2/sessions/count

This resource keeps count of the subject (end-user) sessions.

3.5.1 GET

Returns the current total subject session count.

Header parameters:

Success:

  • Code: 200

  • Content-Type: text/plain

  • Body: {integer} The total session count, zero if none.

Errors:

Example request to retrieve the total session count:

GET /session-store/rest/v2/sessions/count HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6

Example response indicating 15200 current sessions:

HTTP/1.1 200 OK
Content-Type: text/plain

15200

3.6 /session-store/rest/v2/subjects

This resource keeps track of the subjects (end-users) with sessions.

3.6.1 GET

Returns a list of the subjects with sessions.

Header parameters:

Success:

  • Code: 200

  • Content-Type: application/json

  • Body: {array} An unordered JSON array of the subjects that currently have sessions. Empty array if none.

Errors:

Example request to retrieve the identifiers of subjects that have sessions:

GET /session-store/rest/v2/subjects HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6

Example response:

HTTP/1.1 200 OK
Content-Type: application/json

[ "alice", "bob", "claire", "dan" ]

3.7 /session-store/rest/v2/subjects/count

This resource keeps count of the subjects (end-users) with sessions.

3.7.1 GET

Returns the current total subject count.

Header parameters:

Success:

  • Code: 200

  • Content-Type: text/plain

  • Body: {integer} The total count of subjects with sessions, zero if none.

Errors:

Example request to retrieve the total subject count:

GET /session-store/rest/v2/subjects/count HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6

Example response indicating 12768 subjects with sessions:

HTTP/1.1 200 OK
Content-Type: text/plain

12768

4. Representations

4.1 Subject authentication

Subject (end-user) authentication. Details the subject identifier, the authentication timestamp, and the applicable methods and strength (if specified).

JSON object members:

  • sub {string} The subject (end-user) identifier.

  • auth_time {integer} The time of the subject authentication, as number of seconds since the Unix epoch. Defaults to the current system time if not specified when a new subject authentication is created.

  • [ acr ] {string} Optional Authentication Context Class Reference (ACR), omitted if not specified. Used to signify the strength of the employed authentication methods.

  • [ amr ] {string array} Optional list of the Authentication Method References (AMR), omitted if not specified. Used to signify the employed methods for subject authentication, such as password, hardware token,
    biometrics, etc.

Example minimal representation of a subject authentication:

{
  "sub"       : "alice",
  "auth_time" : 12345678
}

Example representation of a subject authentication with all fields defined:

{
  "sub"       : "alice",
  "auth_time" : 12345678,
  "acr"       : "http://loa.c2id.com/high",
  "amr"       : [ "mfa", "pwd", "otp" ]
}

4.2 Subject session

Subject (end-user) session. Details the subject identifier, various session timestamps and limits, and other data.

JSON object members:

  • sub {string} The subject (end-user) identifier.

  • auth_time {integer} The time of the subject authentication, as number of seconds since the Unix epoch. Defaults to the current system time if not specified when a new subject session is created.

  • creation_time {integer} The session creation time, as number of seconds since the Unix epoch. Defaults to the current system time if not specified when a new subject session is created.

  • max_life {integer} The maximum session lifetime in minutes, unlimited if negative. Defaults to the preferred maximum session lifetime if not specified when a new subject session is created.

  • auth_life {integer} The authentication lifetime in minutes, unlimited if negative. Defaults to the preferred authentication lifetime if not specified when a new subject session is created.

  • max_idle {integer} The maximum session idle time in minutes, unlimited if negative. Defaults to the preferred idle time if not specified when a new subject session is created.

  • [ acr ] {string} The Authentication Context Class Reference (ACR) for the session, omitted if not specified. Used to signify the strength of the employed authentication methods.

  • [ amr ] {string array} List of the Authentication Method References (AMR), omitted if not specified. Used to signify the employed methods for subject authentication, such as password, hardware token, biometrics, etc.

  • [ claims ] {object} Optional OpenID claims about the subject. May be used as a source to feed additional claims about the logged in subject into the issued ID tokens.

  • [ data ] {object} Optional session data, represented as a JSON object.

Example minimal JSON object to create a new subject session, with just the
subject identifier specified:

{
  "sub" : "alice" 
}

Example subject session, with all fields specified:

{
  "sub"           : "alice",
  "auth_time"     : 12345678,
  "acr"           : "http://loa.c2id.com/high",
  "amr"           : [ "mfa", "pwd", "otp" ],
  "creation_time" : 1234567,
  "max_life"      : 20160,
  "auth_life"     : 1440,
  "max_idle"      : 15,
  "claims"        : { "roles" : [ "admin", "audit" ] },
  "data"          : { "name"     : "Alice Adams",
                      "email"    : "[email protected]",
                      "login_ip" : "192.168.0.1" }
}

5. Errors

400 Bad Request

Invalid or malformed request.

Example:

HTTP/1.1 400 Bad Request
Content-Type: application/json

{
  "error"             : "invalid_request",
  "error_description" : "Bad request: Invalid JSON: Unexpected token foo at position 3."
}

401 Unauthorized

The request was denied due to an invalid or missing bearer access token.

Example:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer
Content-Type: application/json

{
  "error"             : "missing_token",
  "error_description" : "Unauthorized: Missing Bearer access token"
}

403 Forbidden

Indicates the web API is disabled.

Example:

HTTP/1.1 403 Forbidden
Content-Type: application/json

{
  "error"             : "web_api_disabled",
  "error_description" : "Forbidden: Web API disabled"
}

404 Not Found

The requested resource doesn’t exist.

Example:

HTTP/1.1 404 Not Found
Content-Type: application/json

{
  "error"             : "invalid_session_id",
  "error_description" : "Not found: Invalid SID or expired session"
}

409 Conflict

Two types of error conditions are signaled with the 409 Conflict status code when attempting to create a new session:

The session quota for the subject (end-user) has been exhausted:

HTTP/1.1 409 Conflict
Content-Type: application/json

{
  "error"             : "exhausted_session_quota",
  "error_description" : "Over session quota"
}

The specified new session identifier (SID) matches an existing one:

HTTP/1.1 409 Conflict
Content-Type: application/json

{
  "error"             : "session_id_collision",
  "error_description" : "Couldn't add session: SID collision, try another one"
}

500 Internal Server Error

An internal server error has occurred. Check the Connect2id server logs for details.

Example:

HTTP/1.1 500 Internal Server Error
Content-Type: application/json

{
  "error"             : "server_error",
  "error_description" : "Internal server error: Check the logs for details"
}