Session Id claim is missing from identity token

[dgioulakis]

We are using IS version 6.1.7 with server-side sessions enabled. Our product teams are looking to start implementing single-logout using backchannel, but I noticed our identity tokens do not contain the sid session identifier claim. I briefly checked the documentation and reviewed the IS code, but may have missed something. Is there an easy way to enable this claim to be issued? I see it would be filtered out by the custom profile service.

[josephdecock]

This looks like a bug. It appears that when the CheckSession endpoint is disabled, the sid claim is not included in the token. Originally, the sid was only used with the CheckSession endpoint, but now it is used in more places - such as backchannel logout. We will investigate this a bit more and hope to get a patch release soon.

[dgioulakis]

Oh interesting find. I will take a look at that. I tried upgrading to 6.2.2 just in case, but no luck. Thanks for digging into it.

Re-examining my duende config I saw my notes:
iso.Endpoints.EnableCheckSessionEndpoint = false; // disable since 3rd-party cookies are going extinct

We have a first-party set of web applications on disjoint root domains, so we can't make use of any front-channel, 3rd party cookies.

[dgioulakis]

Can confirm that re-enabling the endpoint resolves the issue. We'll just do that until a fix. Thanks for your help @josephdecock

[brockallen]

@Cephei -- can you upgrade to 6.2.x for a patch, or do you need to stay on 6.1.x?

[dgioulakis]

We can update. I'd like to do that anyway to stay as current as possible.

[brockallen]

Ok, great!

@josephdecock --- we only need to patch 6.2.x then, and merge forward.

thanks all!

[brockallen]

6.2.3 was just released with this fix. Thanks all!