From ab3ad2f97c4ca7e265116f49cbae734147c90c75 Mon Sep 17 00:00:00 2001 From: Joe DeCock Date: Wed, 1 Feb 2023 20:37:34 -0600 Subject: [PATCH] Always emit the sid claim in id tokens In the past, we only needed the sid claim in the check session endpoint, and only included the sid claim when that endpoint was enabled check session. Now we have more cases where the sid claim is useful, so we are no longer going to make the sid claim conditional on the EnableCheckSessionEndpoint option --- .../Default/AuthorizeRequestValidator.cs | 23 ++++++++----------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/src/IdentityServer/Validation/Default/AuthorizeRequestValidator.cs b/src/IdentityServer/Validation/Default/AuthorizeRequestValidator.cs index 39c3e2f59..0408f5fc3 100644 --- a/src/IdentityServer/Validation/Default/AuthorizeRequestValidator.cs +++ b/src/IdentityServer/Validation/Default/AuthorizeRequestValidator.cs @@ -874,27 +874,24 @@ private async Task ValidateOptionalParametersA } ////////////////////////////////////////////////////////// - // check session cookie + // session id ////////////////////////////////////////////////////////// - if (_options.Endpoints.EnableCheckSessionEndpoint) + if (request.Subject.IsAuthenticated()) { - if (request.Subject.IsAuthenticated()) + var sessionId = await _userSession.GetSessionIdAsync(); + if (sessionId.IsPresent()) { - var sessionId = await _userSession.GetSessionIdAsync(); - if (sessionId.IsPresent()) - { - request.SessionId = sessionId; - } - else - { - LogError("Check session endpoint enabled, but SessionId is missing", request); - } + request.SessionId = sessionId; } else { - request.SessionId = ""; // empty string for anonymous users + LogError("SessionId is missing", request); } } + else + { + request.SessionId = ""; // empty string for anonymous users + } return Valid(request); }