[Openid-specs-ab] Issue #2169: [Native SSO] The id_token spec in the token exchange profile (openid/connect)
Vladimir Dzhuvinov
issues-reply at bitbucket.org
Wed Aug 28 15:18:48 UTC 2024
New issue 2169: [Native SSO] The id_token spec in the token exchange profile
https://bitbucket.org/openid/connect/issues/2169/native-sso-the-id_token-spec-in-the-token
Vladimir Dzhuvinov:
In the token exchange profile there is a definition of the `id_token` that the OP must mint in response to a backend SSO request.
[https://openid.net/specs/openid-connect-native-sso-1\_0.html#name-token-exchange-response](https://openid.net/specs/openid-connect-native-sso-1_0.html#name-token-exchange-response)
> id\_token
>
> OPTIONAL. By default the AS should return an id\_token that provides the mobile app with an identity assertion about the user.
I think this definition should mention that the ID token must include the `ds_hash` and `sid` claims, as specced in section 3.4. This will enable the group of related apps on the device to use the new ID token in subsequent backend SSO requests via the token exchange grant. Otherwise, if the ID token is a generic one, the apps will have to use the original ID token issued in the web flow \(the code flow\). Unless this is intended behaviour \(but that can lead to a broken binding if the `device_secret` is updated at some point.\)
More information about the Openid-specs-ab
mailing list