Help get this topic noticed by sharing it on Twitter, Facebook, or email.

What does "sid" mean in OpenID Connect logout specification?

Both OpenID Connect fronchannel logout and backchannel logout specification drafts mention term "sid" . But from the formulation, it is not clear to me if "sid" refers to the session on OP side or on RP side.

I assume that sid refers to the OP session as OP doesn't have access to the ID of RP session. At least I am not seeing anything in the specifications where RP shares it's session ID with OP, hence OP wouldn't know which "sid" value it should use.

Am I correct that this refers to the OP session ID, which is shared with the RP through the "session_state" claim in the ID token?

I can see the flow like this:
1) RP wants to login and redirects to OP
2) OP authenticates user, generates tokens and then in the ID token, it will send it's session "op_session123" in the claim "session_state" of ID token
3) RP receives ID token and it saves some state on it's side with the "op_session123" as the OP session ID
4) Later OP wants to logout user, so it will send backchannel logout token with the sid "op_session123" .
5) RP will terminate it's own session, which corresponds to the OP session "op_session123" .

Is it correct?

Marek Posolda
Keycloak software engineer
1 person has
this question