[Openid-specs-ab] Issue #2176: [Native SSO] offline_scope? ds_hash? (openid/connect)
Takahiko Kawasaki
issues-reply at bitbucket.org
Thu Apr 24 12:31:00 UTC 2025
New issue 2176: [Native SSO] offline_scope? ds_hash?
https://bitbucket.org/openid/connect/issues/2176/native-sso-offline_scope-ds_hash
Takahiko Kawasaki:
The following description appears in [Section 4.3. Native SSO Processing Rules](https://openid.net/specs/openid-connect-native-sso-1_0.html#section-4.3) of [OpenID Connect Native SSO for Mobile Apps 1.0](https://openid.net/specs/openid-connect-native-sso-1_0.html) draft 07:
> Verify that the session id in the id\_token \(sid claim\) is still valid. If the session is no longer valid, the AS MUST return an error of invalid\_grant. Note that in the case of a refresh\_tokens issued with an offline\_scope the 'sid' value SHOULD represent the offline "session" such that if the original refresh\_token is revoked the 'ds\_hash' value in the id\_token is no longer valid.
What does `offline_scope` in this description mean? Could it possibly refer to the `offline_access` scope defined in [Section 11. Offline Access](https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess) of [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html)?
Also, the sudden appearance of `ds_hash` is confusing. Is it possible that `sid` was intended instead of `ds_hash`?
More information about the Openid-specs-ab
mailing list