ID Token doesn’t contain the sid 【Resource Owner Password Flow】

In a shell script, I make a call to the oauth/token endpoint to retrieve an ID Token.
reference

ACCESS_TOKEN=$(curl --silent --request POST \
  --url 'https://${AUTH0_DOMAIN}/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=password \
  --data-urlencode "username=${AUTH0_USER}" \
  --data-urlencode "password=${AUTH0_PASSWORD}" \
  --data-urlencode "audience=${AUTH0_AUDIENCE}" \
  --data-urlencode "scope=openid profile email" \
  --data-urlencode "client_id=${AUTH0_CLIENT_ID}" \
  --data-urlencode "client_secret=${AUTH0_CLIENT_SECRET}" \
  | jq -r .id_token)

It works well and I can retrieve an ID Token.
However, the token doesn’t contain the sid claim.

Is this expected behavior or a bug?

Hi @t.fukao, and thank you for your question!

The sid (Session ID) claim is not included in tokens obtained via the Resource Owner Password Grant (ROPG) because this flow is non-interactive and does not create a user session with the Auth0 authentication server.

To get an ID Token that contains a sid claim, you must use an interactive, OIDC-conformant login flow like the Authorization Code Flow, where a user authenticates through their browser, not through a shell script.

I hope this info helps you!
Teodor.