OPTIONAL. Session ID - String identifier for a Session. This represents a Session of a User Agent or device for a logged-in End-User at an RP. Different
sidvalues are used to identify distinct sessions at an OP. The
sidvalue need only be unique in the context of a particular issuer. Its contents are opaque to the RP. Its syntax is the same as an OAuth 2.0 Client Identifier.
I expected this to say “the sid value MUST match that in the id_token” or something along this line. To some extent it’s currently left to the reader to realise the values must be the same.