ID Token doesn’t contain the sid 【Resource Owner Password Flow】

t.fukao · August 4, 2025, 7:41am

In a shell script, I make a call to the oauth/token endpoint to retrieve an ID Token.
reference

ACCESS_TOKEN=$(curl --silent --request POST \
  --url 'https://${AUTH0_DOMAIN}/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=password \
  --data-urlencode "username=${AUTH0_USER}" \
  --data-urlencode "password=${AUTH0_PASSWORD}" \
  --data-urlencode "audience=${AUTH0_AUDIENCE}" \
  --data-urlencode "scope=openid profile email" \
  --data-urlencode "client_id=${AUTH0_CLIENT_ID}" \
  --data-urlencode "client_secret=${AUTH0_CLIENT_SECRET}" \
  | jq -r .id_token)

It works well and I can retrieve an ID Token.
However, the token doesn’t contain the sid claim.

Is this expected behavior or a bug?

teodor.andrei · August 4, 2025, 10:36am

Hi @t.fukao, and thank you for your question!

The sid (Session ID) claim is not included in tokens obtained via the Resource Owner Password Grant (ROPG) because this flow is non-interactive and does not create a user session with the Auth0 authentication server.

To get an ID Token that contains a sid claim, you must use an interactive, OIDC-conformant login flow like the Authorization Code Flow, where a user authenticates through their browser, not through a shell script.

I hope this info helps you!
Teodor.

Topic		Replies	Views
Auth0 SID permanent? Get Help user-management , account-linking	11	2326	February 21, 2024
Auth0 Bearer Token SID Repeats Across Users Get Help sessions , authentication-sessions	2	30	July 17, 2025
How to obtain id_token with auth0-spa-js Get Help spa	20	22589	February 27, 2020
How do I get the ID token via command line Get Help jwt , api , management-api	2	3478	March 28, 2022
Resource Owner Password authentication failure Get Help resource-owner-passw	5	3669	August 19, 2021

ID Token doesn’t contain the sid 【Resource Owner Password Flow】

Related topics