mirror of
https://github.com/nais/wonderwall.git
synced 2026-05-09 01:47:03 +00:00
05fae6ca5e
Turns out that Azure AD doesn't support the `check_session_iframe` property. However it still returns the session ID in the `session_state` parameter during callbacks, and optionally can be configured to return the `sid` claim in id_tokens. This commit changes the behaviour of the SessionID method to get the session ID if found, with the order of preference being: 1. from the `sid` claim in the id_token, 2. from the `session_state` parameter provided by the OP during callbacks If neither are found, and the OP's configuration does not indicate that either should be (e.g. no support for front-channel logout and/or session management), we fall back to generating our own session ID.