ID Token doesn’t contain the sid 【Resource Owner Password Flow】

Get Help
,
1

In a shell script, I make a call to the oauth/token endpoint to retrieve an ID Token.
reference

ACCESS_TOKEN=$(curl --silent --request POST \
  --url 'https://${AUTH0_DOMAIN}/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=password \
  --data-urlencode "username=${AUTH0_USER}" \
  --data-urlencode "password=${AUTH0_PASSWORD}" \
  --data-urlencode "audience=${AUTH0_AUDIENCE}" \
  --data-urlencode "scope=openid profile email" \
  --data-urlencode "client_id=${AUTH0_CLIENT_ID}" \
  --data-urlencode "client_secret=${AUTH0_CLIENT_SECRET}" \
  | jq -r .id_token)

It works well and I can retrieve an ID Token.
However, the token doesn’t contain the sid claim.

18747b5b57caa89a7c7281193f93f57f
18747b5b57caa89a7c7281193f93f57f1172×321 21.1 KB

Is this expected behavior or a bug?

3

Hi @t.fukao, and thank you for your question!

The sid (Session ID) claim is not included in tokens obtained via the Resource Owner Password Grant (ROPG) because this flow is non-interactive and does not create a user session with the Auth0 authentication server.

To get an ID Token that contains a sid claim, you must use an interactive, OIDC-conformant login flow like the Authorization Code Flow, where a user authenticates through their browser, not through a shell script.

I hope this info helps you!
Teodor.

1 Like
4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.