During the Sign In Flow the value  session_state is returned by Visma Connect as part of the client callback response from /connect/authorize.

The session state is an opaque string where Visma Connect IdP has encoded the authentication status of the user at the instant when the OpenID authentication request was processed. The client application is not concerned with the string content.

The client app can check if the user's authentication status has changed by loading a hidden iframe pointing to the  check_session_iframe URL and sending a request to it via window.postMessage.

Example hidden iframe towards the check_session_iframe endpoint:

<iframe id="check-session-iframe" src="https://connect.visma.com/connect/checksession" style="display: none"/>

The check session message sent to the iframe is a string containing the client ID and the session state separated by white space:

[client_id] [session_state]

Example message for client_id demoapp and the session_state returned above:

demoapp 1vO3YeeIlejo7VELPzUYetJ3Ovvpl9AA7sLIQyUEvBM.0N8wJYFjJ.tNyMTROxq4lg

The message posting to the  check_session_iframe must fulfill the following:

• The message must be posted from the exact same web origin (scheme, hostname, port) as the client  redirect_uri to which the OpenID authentication response was delivered. For example, with an https://client.example.com/callback redirection URI the message must be posted from JavaScript which has the https://client.example.com origin. If this condition isn't met, the OpenID provider iframe will respond with a false "changed" result.

• window.postMessage includes a target origin parameter. This must be set to the web origin of the  check_session_iframe, else the browser will not deliver the message.

The check session iframe will respond by posting a simple string back to the client app window (the  window.postMessage event source, to be precise):

• " unchanged" -- to indicate the user authentication status at Visma Connect has not changed; the client app can make another check some time later (e.g. after a minute).

• " changed" -- to indicate that the user authentication status has changed, e.g. due to logout, an expired session or some other event; after this the client app can ask the user to re-authenticate with Visma Connect.

• " error" -- if the posted message is malformed and the Visma Connect JavaScript couldn't parse the client ID, session state and origin from it.

Example JavaScript to post a check session message:

var client_id = "democlient";
var targetOP = "https://connect.visma.com"; 
var session_state = "W9dyG8kN6dXD53Z9sAWOgGIKczRAF7shHW2PweEmu08.b0c6a8cb1f1e2e1a688947a7713212e9"; 
function receiveMessage(event) {
 if (event.origin !== targetOP) {
     return; 
 } 
 if (event.data === "changed") {
    // status has changed, user has signed out
 }
}
 window.addEventListener("message", receiveMessage, false);
   
  function check_session() {
   
      // Compose the message
      var message = client_id + " " + session_state;
       
      // Post the message to the OpenID provider iframe
      var targetWindow = document.getElementById("check-session-iframe").contentWindow;
       
      targetWindow.postMessage(message, targetOP);
  }