[Native SSO] Token refresh
We need help with the refresh token grant in the context of device SSO.
https://openid.net/specs/openid-connect-native-sso-1_0.html#section-3.3
Section 3.3 says the RP can omit the device_secret
in a token refresh, and this is fine. The OP will check the refresh token and if it contains the device_sso
scope, it will know the context (device SSO).
https://openid.net/specs/openid-connect-native-sso-1_0.html#section-3.4
If the authorization request included the device_sso scope then the authorization server MUST return a device_secret in the response. The device_secret is returned in the device_token claim of the returned JSON data.If no devices_secret is specified, then the AS MUST generate the token. If a device_secret is specified and is valid, the AS MAY update the device_secret as necessary. Regardless a device_secret must be returned in the response.
Section 3.4 describes the response to an authorization code grant. I’m unsure if / how this applies to refresh token responses - in particular - is the device_secret
here also required?