enc_id_token vs id_token

[heidingeww]

Why is enc_id_token separated from id_token? It looks like its being set the same way here. I assume enc means encrypted? It doesn't seem so as for how it is being set though.

It is setting the session_token as enc_id_token here. We can see that params["id_token_hint"] will only get set if the session_token exists, which means enc_id_token has to be true in opts.session_contents

Any inputs would be appreciated. Thank you!

[bodewig]

enc_ means encoded in this context. If you look closely you will see they are set to separate values :-)

enc_id_token is the raw id token - the dot separated base64 parts. id_token is a table holding the parsed payload of the token.

When sending the token back to the OIDC provider lua-resty-openidc needs the original string as it cannot generally reconstruct the exact same representation from the parsed payload (it wouldn't be able to sign the token for example). So yes, if you want to use the id_token_hint during logout you must store the enc_id_token as part of the session.