From f5e5d842e6aa4716f9fc91e1f1197f58c16a487f Mon Sep 17 00:00:00 2001
From: ybelMekk <youssef.bel.mekki@nav.no>
Date: Sat, 22 Jan 2022 15:03:54 +0100
Subject: [PATCH] wip: sid claim only required if
 frontchannel_logout_session_supported && frontchannel_logout_supported.

---
 pkg/router/handler_callback.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/pkg/router/handler_callback.go b/pkg/router/handler_callback.go
index 772b480..623c12a 100644
--- a/pkg/router/handler_callback.go
+++ b/pkg/router/handler_callback.go
@@ -88,7 +88,10 @@ func (h *Handler) validateIDToken(idToken *openid.IDToken, loginCookie *openid.L
 		jwt.WithClaimValue("nonce", loginCookie.Nonce),
 		jwt.WithIssuer(h.Provider.GetOpenIDConfiguration().Issuer),
 		jwt.WithAcceptableSkew(5 * time.Second),
-		jwt.WithRequiredClaim("sid"),
+	}
+
+	if h.sidClaimRequired() {
+		validateOpts = append(validateOpts, jwt.WithRequiredClaim("sid"))
 	}
 
 	if len(h.Provider.GetClientConfiguration().GetACRValues()) > 0 {
@@ -107,3 +110,8 @@ func (h *Handler) validateIDToken(idToken *openid.IDToken, loginCookie *openid.L
 
 	return externalSessionID, nil
 }
+
+func (h *Handler) sidClaimRequired() bool {
+	config := h.Provider.GetOpenIDConfiguration()
+	return config.FrontchannelLogoutSupported && config.FrontchannelLogoutSessionSupported
+}