[Openid-specs-ab] Issue #2170: [Native SSO] Device secret updates should only happen when a new ID token is issued (openid/connect)

[Vladimir Dzhuvinov]

New issue 2170: [Native SSO] Device secret updates should only happen when a new ID token is issued
https://bitbucket.org/openid/connect/issues/2170/native-sso-device-secret-updates-should

Vladimir Dzhuvinov:

This issue was discovered recently and is not based on our PoC \(which doesn’t rotate the `device_secret`\).

The spec allows for OPs to update the `device_secret` , for extra security in case of a leak. The OP can return a new `device_secret` to the RP in a token response. The device SSO spec deals with these 3 grants:

* code
* refresh token
* token exchange

The code and token exchange grants provide the RP with a new ID token, which is supposed to include the `ds_hash`. If a new `device_secret` gets issued, this gets reflected in the ID token `ds_hash`.

The interpretation of the current spec is that the refresh token response can also produce an updated `device_secret` \(issue #2168\). OIDC Core, however, doesn’t mandate an ID token in these responses, i.e. it’s an optional thing and there are also good reasons to consider this an anti-pattern. In the absence of an updated ID token \(with the new `ds_hash` binding\) the group of apps on the device will not be able to make a new successful back-channel SSO request via the token exchange grant.

It seems the most efficient solution to this is to allow `device_secret` updates only in the code flow and in the token exchange profile, leaving the refresh token grant out of this. The general rule being that device secret updates should only happen when a new ID token is issued.

I noticed the token exchange request could also benefit from an explicit mention that the submitted ID token must be bound to the device secret in the `actor_token` , to make app developers aware of this requirement when they construct their requests:

[https://openid.net/specs/openid-connect-native-sso-1\_0.html#name-oauth2-token-exchange-profi](https://openid.net/specs/openid-connect-native-sso-1_0.html#name-oauth2-token-exchange-profi)