Is there a way to get the sid (session_state) as a claim?

[NunoComenda]

Hi all,

First of all thank you for the amazing software.

Let me write a quick question in case Is there a obvious solution and leave a more lengthy context after. Is there a way to get the sid as a OIDC claim so that we can identify subsequent application sessions created within the same openid session?

Thank you!

Context:

We have a specific session management that we don't know how to implement where users should only be able to access the /secure part of the website if successfully authenticated in the OP. Then during the lifetime of the openid session, users should be able to impersonate several application users and different application sessions open in the server.

Once the openid session is terminated in the OP, we would like to receive the logout call on the backend via the backchannel and clear all the application sessions. We receive the call which sends the sid as a query parameter, but as during the creation of the application sessions we don't seem to find a way to access the sid (session_state), we are not able to clear all the sessions.

Hence the question: is there a way to get the sid (session_state) as a claim?

[zandbelt]

mod_auth_openidc supports OpenID Connect backchannel logout and handles the logout call on the backend clearing the session so there should be no need to interfere with that; apart from that, the spec says that sid is an RP specific identifier and does not relate to the session at the OP