Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Include sid claim in id_token

Description

The OIDC front- and back-channel logout drafts [1] [2] specify that id_tokens should contain a sid claim in some scenarios. We could support that already before implementing https://shibboleth.atlassian.net/browse/JOIDC-13 .

 

[1] https://openid.net/specs/openid-connect-frontchannel-1_0-06.html

[2] https://openid.net/specs/openid-connect-backchannel-1_0.html

Environment

None

is related to

Confluence content

mentioned on

Activity

Show:

Henri MikkonenSeptember 20, 2022 at 12:34 PM

The sid value is generated by the authorize endpoint for end-user flows, and by the token endpoint for the client_credentials grant. The value is stored to OIDCAuthenticationResponseContext and encoded to the token claims sets (authz code, accesa and refresh tokens).

The generation strategy can be configured with idp.oidc.SessionIdentifierGenerationStrategy -property, it defaults to shibboleth.DefaultIdentifierGenerationStrategy.

Henri MikkonenSeptember 16, 2022 at 6:54 AM

The claim value should already be generated in the authorize flow in order to be available for the SPSession creation strategy (wired to UpdateSessionWithSPSession action). In practise this means that the value must be stored in the authorization code claims set to be available in the token flow where the id_tokens are usually issued.

Done

Details

Assignee

Reporter

Components

Fix versions

Created September 16, 2022 at 6:48 AM
Updated November 4, 2022 at 10:58 AM
Resolved November 4, 2022 at 10:58 AM

Flag notifications