OAuth2/OpenID back-channel logout SID #16294
Description
Describe your question/
I just upgraded to 2025.8.0 and wanted to use back-channel logout with nextcloud user_oidc.
According to its docs I set Back-channel Logout URI in the provider to https://[censored].de/apps/user_oidc/backchannel-logout/[censored] .
However, this setup did not seem to work as expected and errored out.
[index] Error: OCA\UserOIDC\Db\SessionMapper::findSessionBySid(): Argument #1 ($sid) must be of type string, null given, called in /var/www/html/custom_apps/user_oidc/lib/Controller/LoginController.php on line 784 in file '/var/www/html/custom_apps/user_oidc/lib/Db/SessionMapper.php' line 53
POST /apps/user_oidc/backchannel-logout/[censored]
from 10.5.0.1 by -- at 20.08.2025, 21:40:19
To reproduce: Configure authentik with Nextcloud’s user_oidc, enable back-channel logout, trigger logout from provider → see error
After having a look at the pull request for back-channel logout, I noticed in authentik/providers/oauth2/tasks.py that the jwt for the logout token does not seem to contain a session id.
According to specification the SID parameter is optional.
However, user_oicd seems to require it and throws an exception if it does not receive it.
I think it would be great if authentik would include a session id, because the whole concept of back-channel logout seems a bit worthless if we can not target single sessions.
If I understand the spec correctly, the expected behavior for user_oicd would be to end all sessions for that sub, which would not be expected behavior from user perspective. Please correct me, if I am wrong.
Expected: authentik should include sid claim in logout tokens so user_oidc can terminate single sessions.
Actual: logout token does not contain sid, causing user_oidc to throw.
Relevant info
authentik 2025.8.0 via docker compose behind traefik.
nextcloud 31.0.8
user_oicd 7.3.1
Additional context
I created an issue at user_oidc