[Openid-specs-ab] Issue #2168: [Native SSO] Token refresh (openid/connect)
Vladimir Dzhuvinov
issues-reply at bitbucket.org
Thu Aug 22 07:09:17 UTC 2024
New issue 2168: [Native SSO] Token refresh
https://bitbucket.org/openid/connect/issues/2168/native-sso-token-refresh
Vladimir Dzhuvinov:
We need help with the refresh token grant in the context of device SSO.
[https://openid.net/specs/openid-connect-native-sso-1\_0.html#section-3.3](https://openid.net/specs/openid-connect-native-sso-1_0.html#section-3.3)
Section 3.3 says the RP can omit the `device_secret` in a token refresh, and this is fine. The OP will check the refresh token and if it contains the `device_sso` scope, it will know the context \(device SSO\).
[https://openid.net/specs/openid-connect-native-sso-1\_0.html#section-3.4](https://openid.net/specs/openid-connect-native-sso-1_0.html#section-3.4)
> If the authorization request included the device\_sso scope then the authorization server MUST return a device\_secret in the response. The device\_secret is returned in the device\_token claim of the returned JSON data.If no devices\_secret is specified, then the AS MUST generate the token. If a device\_secret is specified and is valid, the AS MAY update the device\_secret as necessary. Regardless a device\_secret must be returned in the response.
Section 3.4 describes the response to an authorization code grant. I’m unsure if / how this applies to refresh token responses - in particular - is the `device_secret` here also required?
More information about the Openid-specs-ab
mailing list