[Openid-specs-ab] Issue #1176: backchannel logout spec doesn't have requirement that 'sid` in id_token & logout_token match (openid/connect)
issues-reply at bitbucket.org
Tue Jun 16 07:16:12 UTC 2020
New issue 1176: backchannel logout spec doesn't have requirement that 'sid` in id_token & logout_token match
> OPTIONAL. Session ID - String identifier for a Session. This represents a Session of a User Agent or device for a logged-in End-User at an RP. Different `sid` values are used to identify distinct sessions at an OP. The `sid` value need only be unique in the context of a particular issuer. Its contents are opaque to the RP. Its syntax is the same as an OAuth 2.0 Client Identifier.
I expected this to say “the sid value MUST match that in the id\_token” or something along this line. To some extent it’s currently left to the reader to realise the values must be the same.
More information about the Openid-specs-ab