KEYCLOAK-2511 Rename session-state in access token response to session_state

core/src/main/java/org/keycloak/representations/AccessTokenResponse.java

@@ -52,7 +52,7 @@ public class AccessTokenResponse {
     @JsonProperty("not-before-policy")
     protected int notBeforePolicy;
 
-    @JsonProperty("session-state")
+    @JsonProperty("session_state")
     protected String sessionState;
 
     protected Map<String, Object> otherClaims = new HashMap<String, Object>();

docbook/auth-server-docs/reference/en/en-US/modules/MigrationFromOlderVersions.xml

@@ -121,6 +121,13 @@
                     The Client Registration service endpoints have been moved from <literal>{realm}/clients</literal> to <literal>{realm}/clients-registrations</literal>.
                 </para>
             </simplesect>
+            <simplesect>
+                <title>Session state parameter in authentication response renamed</title>
+                <para>
+                    In the OpenID Connect authentication response we used to return the session state as <literal>session-state</literal> this is not
+                    correct according to the specification and has been renamed to <literal>session_state</literal>.
+                </para>
+            </simplesect>
             <simplesect>
                 <title>Deprecated OpenID Connect endpoints</title>
                 <para>

docbook/auth-server-docs/reference/en/en-US/modules/direct-access.xml

@@ -73,7 +73,7 @@ Pragma: no-cache
     "expires_in":3600,
     "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
     "id_token":"tGzv3JOkF0XG5Qx2TlKWIA",
-    "session-state":"234234-234234-234234"
+    "session_state":"234234-234234-234234"
 }]]>
 </programlisting>
     </para>

docbook/auth-server-docs/reference/en/en-US/modules/service-accounts.xml

@@ -61,7 +61,7 @@ Pragma: no-cache
     "refresh_expires_in":600,
     "id_token":"tGzv3JOkF0XG5Qx2TlKWIA",
     "not-before-policy":0,
-    "session-state":"234234-234234-234234"
+    "session_state":"234234-234234-234234"
 }]]>
         </programlisting>
     </para>

services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java

@@ -163,7 +163,7 @@ public class OIDCLoginProtocol implements LoginProtocol {
             if (responseType.hasResponseType(OIDCResponseType.TOKEN)) {
                 redirectUri.addParam("access_token", res.getToken());
                 redirectUri.addParam("token_type", res.getTokenType());
-                redirectUri.addParam("session-state", res.getSessionState());
+                redirectUri.addParam("session_state", res.getSessionState());
                 redirectUri.addParam("expires_in", String.valueOf(res.getExpiresIn()));
             }