IdentityPython
diff --git a/‎src/idpyoidc/server/exception.py‎
Lines changed: 4 additions & 0 deletions b/‎src/idpyoidc/server/exception.py‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎src/idpyoidc/server/oauth2/authorization.py‎
Lines changed: 4 additions & 4 deletions b/‎src/idpyoidc/server/oauth2/authorization.py‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎src/idpyoidc/server/oauth2/introspection.py‎
Lines changed: 1 addition & 1 deletion b/‎src/idpyoidc/server/oauth2/introspection.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/idpyoidc/server/oauth2/token_helper.py‎
Lines changed: 8 additions & 8 deletions b/‎src/idpyoidc/server/oauth2/token_helper.py‎
Lines changed: 8 additions & 8 deletions
diff --git a/‎src/idpyoidc/server/oidc/backchannel_authentication.py‎
Lines changed: 4 additions & 4 deletions b/‎src/idpyoidc/server/oidc/backchannel_authentication.py‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎src/idpyoidc/server/oidc/session.py‎
Lines changed: 9 additions & 9 deletions b/‎src/idpyoidc/server/oidc/session.py‎
Lines changed: 9 additions & 9 deletions
diff --git a/‎src/idpyoidc/server/oidc/token_helper.py‎
Lines changed: 7 additions & 7 deletions b/‎src/idpyoidc/server/oidc/token_helper.py‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎src/idpyoidc/server/oidc/userinfo.py‎
Lines changed: 1 addition & 1 deletion b/‎src/idpyoidc/server/oidc/userinfo.py‎
Lines changed: 1 addition & 1 deletion
@@ -124,3 +124,7 @@ class CapabilitiesMisMatch(OidcEndpointError):
 
 class MultipleCodeUsage(OidcEndpointError):
     pass
+
+
+class InvalidBranchID(OidcEndpointError):
+    pass
@@ -768,7 +768,7 @@ def create_authn_response(self, request: Union[dict, Message], sid: str) -> dict
                 _code = self.mint_token(
                     token_class="authorization_code",
                     grant=grant,
-                    session_id=_sinfo["session_id"],
+                    session_id=_sinfo["branch_id"],
                 )
                 aresp["code"] = _code.value
                 handled_response_type.append("code")
@@ -779,7 +779,7 @@ def create_authn_response(self, request: Union[dict, Message], sid: str) -> dict
                 _access_token = self.mint_token(
                     token_class="access_token",
                     grant=grant,
-                    session_id=_sinfo["session_id"],
+                    session_id=_sinfo["branch_id"],
                 )
                 aresp["access_token"] = _access_token.value
                 aresp["token_type"] = "Bearer"
@@ -805,7 +805,7 @@ def create_authn_response(self, request: Union[dict, Message], sid: str) -> dict
                     id_token = self.mint_token(
                         token_class="id_token",
                         grant=grant,
-                        session_id=_sinfo["session_id"],
+                        session_id=_sinfo["branch_id"],
                         scope=request["scope"],
                         **kwargs,
                     )
@@ -995,7 +995,7 @@ def process_request(
         cinfo = _context.cdb[_cid]
         # logger.debug("client {}: {}".format(_cid, cinfo))
 
-        # this applies the default optionally deny_unknown_scopes policy
+        # this applies the default option deny_unknown_scopes policy
         check_unknown_scopes_policy(request, _cid, _context)
 
         if http_info is None:
 
@@ -124,7 +124,7 @@ def process_request(self, request=None, release: Optional[list] = None, **kwargs
         _resp.weed()
 
         _claims_restriction = _context.claims_interface.get_claims(
-            _session_info["session_id"], scopes=_token.scope, claims_release_point="introspection"
+            _session_info["branch_id"], scopes=_token.scope, claims_release_point="introspection"
         )
         if _claims_restriction:
             user_info = _context.claims_interface.get_user_claims(
 
@@ -163,7 +163,7 @@ def process_request(self, req: Union[Message, dict], **kwargs):
                 token = self._mint_token(
                     token_class="access_token",
                     grant=grant,
-                    session_id=_session_info["session_id"],
+                    session_id=_session_info["branch_id"],
                     client_id=_session_info["client_id"],
                     based_on=_based_on,
                 )
@@ -183,7 +183,7 @@ def process_request(self, req: Union[Message, dict], **kwargs):
                 refresh_token = self._mint_token(
                     token_class="refresh_token",
                     grant=grant,
-                    session_id=_session_info["session_id"],
+                    session_id=_session_info["branch_id"],
                     client_id=_session_info["client_id"],
                     based_on=_based_on,
                 )
@@ -193,7 +193,7 @@ def process_request(self, req: Union[Message, dict], **kwargs):
                 _response["refresh_token"] = refresh_token.value
 
         # since the grant content has changed. Make sure it's stored
-        _mngr[_session_info["session_id"]] = grant
+        _mngr[_session_info["branch_id"]] = grant
 
         _based_on.register_usage()
 
@@ -275,7 +275,7 @@ def process_request(self, req: Union[Message, dict], **kwargs):
         access_token = self._mint_token(
             token_class="access_token",
             grant=_grant,
-            session_id=_session_info["session_id"],
+            session_id=_session_info["branch_id"],
             client_id=_session_info["client_id"],
             based_on=token,
             scope=scope,
@@ -297,7 +297,7 @@ def process_request(self, req: Union[Message, dict], **kwargs):
             refresh_token = self._mint_token(
                 token_class="refresh_token",
                 grant=_grant,
-                session_id=_session_info["session_id"],
+                session_id=_session_info["branch_id"],
                 client_id=_session_info["client_id"],
                 based_on=token,
                 scope=scope,
@@ -435,7 +435,7 @@ def post_parse_request(self, request, client_id="", **kwargs):
             )
 
         # Find the token instance based on the token value
-        token = _mngr.find_token(_session_info["session_id"], request["subject_token"])
+        token = _mngr.find_token(_session_info["branch_id"], request["subject_token"])
         if token.is_active() is False:
             return self.error_cls(
                 error="invalid_request", error_description="Subject token inactive"
@@ -535,14 +535,14 @@ def process_request(self, request, **kwargs):
                 error="invalid_request", error_description="Subject token invalid"
             )
 
-        token = _mngr.find_token(_session_info["session_id"], request["subject_token"])
+        token = _mngr.find_token(_session_info["branch_id"], request["subject_token"])
         _requested_token_type = request.get(
             "requested_token_type", "urn:ietf:params:oauth:token-type:access_token"
         )
 
         _token_class = self.token_types_mapping[_requested_token_type]
 
-        sid = _session_info["session_id"]
+        sid = _session_info["branch_id"]
 
         _token_type = "Bearer"
         # Is DPOP supported
 
@@ -239,7 +239,7 @@ def process_request(self, req: Union[Message, dict], **kwargs):
             token = self._mint_token(
                 token_class="access_token",
                 grant=grant,
-                session_id=_session_info["session_id"],
+                session_id=_session_info["branch_id"],
                 client_id=_session_info["client_id"],
                 token_type=token_type,
             )
@@ -255,7 +255,7 @@ def process_request(self, req: Union[Message, dict], **kwargs):
                 refresh_token = self._mint_token(
                     token_class="refresh_token",
                     grant=grant,
-                    session_id=_session_info["session_id"],
+                    session_id=_session_info["branch_id"],
                     client_id=_session_info["client_id"],
                 )
             except MintingNotAllowed as err:
@@ -264,14 +264,14 @@ def process_request(self, req: Union[Message, dict], **kwargs):
                 _response["refresh_token"] = refresh_token.value
 
         # since the grant content has changed. Make sure it's stored
-        _mngr[_session_info["session_id"]] = grant
+        _mngr[_session_info["branch_id"]] = grant
 
         if "openid" in _authn_req["scope"]:
             try:
                 _idtoken = self._mint_token(
                     token_class="id_token",
                     grant=grant,
-                    session_id=_session_info["session_id"],
+                    session_id=_session_info["branch_id"],
                     client_id=_session_info["client_id"],
                 )
             except (JWEException, NoSuitableSigningKeys) as err:
 
@@ -149,9 +149,7 @@ def clean_sessions(self, usids):
     def logout_all_clients(self, sid):
         _context = self.server_get("endpoint_context")
         _mngr = _context.session_manager
-        _session_info = _mngr.get_session_info(
-            sid, user_session_info=True, client_session_info=True, grant=True
-        )
+        _session_info = _mngr.get_session_info(sid)
 
         # Front-/Backchannel logout ?
         _cdb = _context.cdb
@@ -165,12 +163,14 @@ def logout_all_clients(self, sid):
         bc_logouts = {}
         fc_iframes = {}
         _rel_sid = []
-        for _client_id in _session_info["user_session_info"].subordinate:
+        for _client_key in _session_info["user"].subordinate:
+            _path = _mngr.unpack_branch_key(_client_key)
+            _client_id = _path[-1]
             # I prefer back-channel. Should it be configurable ?
             if "backchannel_logout_uri" in _cdb[_client_id]:
-                _cli = _mngr.get([_user_id, _client_id])
+                _cli = _mngr.get(_path)
                 for gid in _cli.subordinate:
-                    grant = _mngr.get([_user_id, _client_id, gid])
+                    grant = _mngr.get(_mngr.unpack_branch_key(gid))
                     # Has to be connected to an authentication event
                     if not grant.authentication_event:
                         continue
@@ -182,9 +182,9 @@ def logout_all_clients(self, sid):
                             bc_logouts[_client_id] = _spec
                         break
             elif "frontchannel_logout_uri" in _cdb[_client_id]:
-                _cli = _mngr.get([_user_id, _client_id])
+                _cli = _mngr.get(_path)
                 for gid in _cli.subordinate:
-                    grant = _mngr.get([_user_id, _client_id, gid])
+                    grant = _mngr.get(_mngr.unpack_branch_key(gid))
                     # Has to be connected to an authentication event
                     if not grant.authentication_event:
                         continue
@@ -324,7 +324,7 @@ def process_request(
             )
 
         payload = {
-            "sid": _session_info["session_id"],
+            "sid": _session_info["branch_id"],
         }
 
         # redirect user to OP logout verification page
 
@@ -107,7 +107,7 @@ def process_request(self, req: Union[Message, dict], **kwargs):
                 token = self._mint_token(
                     token_class="access_token",
                     grant=grant,
-                    session_id=_session_info["session_id"],
+                    session_id=_session_info["branch_id"],
                     client_id=_session_info["client_id"],
                     based_on=_based_on,
                     token_type=token_type,
@@ -128,7 +128,7 @@ def process_request(self, req: Union[Message, dict], **kwargs):
                 refresh_token = self._mint_token(
                     token_class="refresh_token",
                     grant=grant,
-                    session_id=_session_info["session_id"],
+                    session_id=_session_info["branch_id"],
                     client_id=_session_info["client_id"],
                     based_on=_based_on,
                 )
@@ -138,15 +138,15 @@ def process_request(self, req: Union[Message, dict], **kwargs):
                 _response["refresh_token"] = refresh_token.value
 
         # since the grant content has changed. Make sure it's stored
-        _mngr[_session_info["session_id"]] = grant
+        _mngr[_session_info["branch_id"]] = grant
 
         if "openid" in _authn_req["scope"] and "id_token" in _supports_minting:
             if "id_token" in _based_on.usage_rules.get("supports_minting"):
                 try:
                     _idtoken = self._mint_token(
                         token_class="id_token",
                         grant=grant,
-                        session_id=_session_info["session_id"],
+                        session_id=_session_info["branch_id"],
                         client_id=_session_info["client_id"],
                         based_on=_based_on,
                     )
@@ -243,7 +243,7 @@ def process_request(self, req: Union[Message, dict], **kwargs):
         access_token = self._mint_token(
             token_class="access_token",
             grant=_grant,
-            session_id=_session_info["session_id"],
+            session_id=_session_info["branch_id"],
             client_id=_session_info["client_id"],
             based_on=token,
             scope=scope,
@@ -270,7 +270,7 @@ def process_request(self, req: Union[Message, dict], **kwargs):
             refresh_token = self._mint_token(
                 token_class="refresh_token",
                 grant=_grant,
-                session_id=_session_info["session_id"],
+                session_id=_session_info["branch_id"],
                 client_id=_session_info["client_id"],
                 based_on=token,
                 scope=scope,
@@ -283,7 +283,7 @@ def process_request(self, req: Union[Message, dict], **kwargs):
                 _idtoken = self._mint_token(
                     token_class="id_token",
                     grant=_grant,
-                    session_id=_session_info["session_id"],
+                    session_id=_session_info["branch_id"],
                     client_id=_session_info["client_id"],
                     based_on=token,
                     scope=scope,
 
@@ -150,7 +150,7 @@ def process_request(self, request=None, **kwargs):
         if allowed:
             _cntxt = self.server_get("endpoint_context")
             _claims_restriction = _cntxt.claims_interface.get_claims(
-                _session_info["session_id"], scopes=token.scope, claims_release_point="userinfo"
+                _session_info["branch_id"], scopes=token.scope, claims_release_point="userinfo"
             )
             info = _cntxt.claims_interface.get_user_claims(
                 _session_info["user_id"], claims_restriction=_claims_restriction
Original file line number	Diff line number	Diff line change
`@@ -124,7 +124,7 @@ def process_request(self, request=None, release: Optional[list] = None, **kwargs`
`124`	`124`	`_resp.weed()`
`125`	`125`
`126`	`126`	`_claims_restriction = _context.claims_interface.get_claims(`
`127`		`- _session_info["session_id"], scopes=_token.scope, claims_release_point="introspection"`
	`127`	`+ _session_info["branch_id"], scopes=_token.scope, claims_release_point="introspection"`
`128`	`128`	`)`
`129`	`129`	`if _claims_restriction:`
`130`	`130`	`user_info = _context.claims_interface.get_user_claims(`
Original file line number	Diff line number	Diff line change
`@@ -150,7 +150,7 @@ def process_request(self, request=None, **kwargs):`
`150`	`150`	`if allowed:`
`151`	`151`	`_cntxt = self.server_get("endpoint_context")`
`152`	`152`	`_claims_restriction = _cntxt.claims_interface.get_claims(`
`153`		`- _session_info["session_id"], scopes=token.scope, claims_release_point="userinfo"`
	`153`	`+ _session_info["branch_id"], scopes=token.scope, claims_release_point="userinfo"`
`154`	`154`	`)`
`155`	`155`	`info = _cntxt.claims_interface.get_user_claims(`
`156`	`156`	`_session_info["user_id"], claims_restriction=_claims_restriction`