Why id_token_jwt is stored in session when id_token is already there?

[infohash]

Flask-pyoidc/src/flask_pyoidc/pyoidc_facade.py

Lines 198 to 207 in 5e66a38

	resp = self._provider_configuration.requests_session \
	.post(self._client.token_endpoint,
	data=request,
	headers=auth_header) \
	.json()
	logger.debug('received token response: %s', json.dumps(resp))
	token_resp = self._parse_response(resp, AccessTokenResponse, TokenErrorResponse)
	if 'id_token' in resp:
	token_resp['id_token_jwt'] = resp['id_token']

This line is adding id_token_jwt which is inserted into the session:

Flask-pyoidc/src/flask_pyoidc/flask_pyoidc.py

Lines 176 to 181 in 5e66a38

	UserSession(flask.session).update(access_token=result.access_token,
	expires_in=result.expires_in,
	id_token=result.id_token_claims,
	id_token_jwt=result.id_token_jwt,
	userinfo=result.userinfo_claims,
	refresh_token=result.refresh_token)

When id_token is parsed from id_token_jwt, why do we need both of them in session? The problem it is causing now is when I delegate token exchange to oic.oic.Client.do_access_token_request, it only returns parsed id_token so I no longer have id_token_jwt.

[zamzterz]

The signed and serialised ID token needs to be stored in the session to be usable as id_token_hint in applicable requests (e.g. logout request: #32).
It's used here.

I've not dug into detail so not sure how/if it can be extracted from Client.do_access_token_request, but that is something that is needed.