In a shell script, I make a call to the oauth/token
endpoint to retrieve an ID Token.
reference
ACCESS_TOKEN=$(curl --silent --request POST \
--url 'https://${AUTH0_DOMAIN}/oauth/token' \
--header 'content-type: application/x-www-form-urlencoded' \
--data grant_type=password \
--data-urlencode "username=${AUTH0_USER}" \
--data-urlencode "password=${AUTH0_PASSWORD}" \
--data-urlencode "audience=${AUTH0_AUDIENCE}" \
--data-urlencode "scope=openid profile email" \
--data-urlencode "client_id=${AUTH0_CLIENT_ID}" \
--data-urlencode "client_secret=${AUTH0_CLIENT_SECRET}" \
| jq -r .id_token)
It works well and I can retrieve an ID Token.
However, the token doesn’t contain the sid claim.
Is this expected behavior or a bug?