[Openid-specs-ab] Issue #1176: backchannel logout spec doesn't have requirement that 'sid` in id_token & logout_token match (openid/connect)

josephheenan issues-reply at bitbucket.org
Tue Jun 16 07:16:12 UTC 2020


New issue 1176: backchannel logout spec doesn't have requirement that 'sid` in id_token & logout_token match
https://bitbucket.org/openid/connect/issues/1176/backchannel-logout-spec-doesnt-have

Joseph Heenan:

[https://openid.net/specs/openid-connect-backchannel-1\_0.html#LogoutToken](https://openid.net/specs/openid-connect-backchannel-1_0.html#LogoutToken) says:

> sid
>
> OPTIONAL. Session ID - String identifier for a Session. This represents a Session of a User Agent or device for a logged-in End-User at an RP. Different `sid` values are used to identify distinct sessions at an OP. The `sid` value need only be unique in the context of a particular issuer. Its contents are opaque to the RP. Its syntax is the same as an OAuth 2.0 Client Identifier.

I expected this to say “the sid value MUST match that in the id\_token” or something along this line. To some extent it’s currently left to the reader to realise the values must be the same.

‌

‌




More information about the Openid-specs-ab mailing list