[Openid-specs-ab] Updating the Native SSO for Mobile Apps specification

george at practicalidentity.com george at practicalidentity.com
Thu Jun 12 01:42:59 UTC 2025 

Hi,

The latest draft of the Native SSO for Mobile Apps specification addresses all the outstanding issues. However, a number of larger concerns around the use of the id_token have been raised and I’d like to start the work to address those concerns.

Today, the device_secret represents state held by the Authorization Server for the mobile device and all the apps written by the same entity installed on that device. It is effectively a “device instance token”. The current spec allows for this device_secret to maintain state for multiple user sessions (say different identities logged into different apps). 

The current spec also states that the device_secret MUST be opaque to the client. Because of this, the id_token is used by the mobile apps installed on the device to determine the set of users that have logged in. The id_token contains both the session id for the user as well as the `sub` claim identifying the user.

If we want to reduce dependency on the id_token, then I think the main change is determining a different way to maintain the list of users who have logged in. This is necessary when a new mobile app, written by the same entity, is installed on the device and it needs to display the set of users that can be logged in via this back-channel method.

Today, the token exchange (section 4) requires the id_token as the subject_token to identify to the AS which identity the user wants to SSO into the new app. If we don’t use the id_token for this purpose, we need another way for the client to specify/identify the desired user to the token endpoint as part of the token exchange call.

There are other improvements we can consider, like should we look at DPoP or some of the other “client instance registration” mechanisms.

If you are interested in working on this, please let know and we can set up a team to start addressing the larger changes. 

I would also like to vote the latest draft to an implementors draft and then maybe move the baseline from bitbucket to GitHub to make it easier to work on the updates.

Any thoughts or suggestions appreciated!

Thanks,
George

George Fletcher
Identity Standards Architect
Practical Identity LLC



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250611/8f081e3b/attachment-0001.htm>

More information about the Openid-specs-ab mailing list