[Openid-specs-ab] Issue #2101: [Native App SSO] No prescriptive restriction on the authorization server to protect an actor-less token exchange (openid/connect)
Vivek Shankar
issues-reply at bitbucket.org
Wed Dec 6 11:10:52 UTC 2023
New issue 2101: [Native App SSO] No prescriptive restriction on the authorization server to protect an actor-less token exchange
https://bitbucket.org/openid/connect/issues/2101/native-app-sso-no-prescriptive-restriction
Vivek Shankar:
Thank you for the OpenID Native App SSO spec. It solves a real-world problem. I have a proposed update to this spec.
REF: [https://openid.net/specs/openid-connect-native-sso-1\_0-ID1.html#section-4.3](https://openid.net/specs/openid-connect-native-sso-1_0-ID1.html#section-4.3)
The native app SSO flow’s token exchange profile expects the actor token is going to somehow be mandatory. However, OAuth 2.0 token exchange does not mandate that the actor token is required. Should this perhaps be prescriptive? For example, if the `ds_hash` claim is present in the subject token, the corresponding device\_secret must be provided as an actor token.
Given the spec hinges on the pairing of the id\_token and the device\_secret for the token exchange profile, this seems important to prescribe. This is necessary, IMHO, to avoid badly written clients just using the id\_token to obtain an access token, which is the ultimate goal for those client apps.
Failing to have something like this in place forces OPs to come up with their own bespoke enforcement. Not having some form of enforcement, IMO, can cause inadvertent exposure in a real implementation.
More information about the Openid-specs-ab
mailing list