Access token sid claim for backchannel logout missing
š¬Self-hostedš”ļøAuthorizationāQuestionšActionsšOIDC
An access token in JWT currently contains no sid claim and I don't see any option to add it (no variable in actions V1/V2 available). The sid claim is only seen in the id token and the revocation token generated by the OIDC Back-Channel Logout.
I couldn't found a way to reject the access token when looking at the revocation token if I don't have the id token at the same time (contains sid claim and hashsum of the access token). The jid claim from the access token is structured like V2_364509079197974537-at_364509079198040073 but it seems oidcSessionID isn't the session id from the revocation id which is V1_364509077235040265 in my example.
// internal/command/oidc_session_test.go
~
SessionID: "sessionID",
TokenID: "V2_oidcSessionID-at_accessTokenID",
~
How to reject the access token by lookingg at the revocation token alone? Why is there no sid on every token generated inside a session?
I couldn't found a way to reject the access token when looking at the revocation token if I don't have the id token at the same time (contains sid claim and hashsum of the access token). The jid claim from the access token is structured like V2_364509079197974537-at_364509079198040073 but it seems oidcSessionID isn't the session id from the revocation id which is V1_364509077235040265 in my example.
// internal/command/oidc_session_test.go
SessionID: "sessionID",
TokenID: "V2_oidcSessionID-at_accessTokenID",
How to reject the access token by lookingg at the revocation token alone? Why is there no sid on every token generated inside a session?
