[Native SSO] Token refresh
We need help with the refresh token grant in the context of device SSO.
https://openid.net/specs/openid-connect-native-sso-1_0.html#section-3.3
Section 3.3 says the RP can omit the device_secret in a token refresh, and this is fine. The OP will check the refresh token and if it contains the device_sso scope, it will know the context (device SSO).
https://openid.net/specs/openid-connect-native-sso-1_0.html#section-3.4
If the authorization request included the device_sso scope then the authorization server MUST return a device_secret in the response. The device_secret is returned in the device_token claim of the returned JSON data.If no devices_secret is specified, then the AS MUST generate the token. If a device_secret is specified and is valid, the AS MAY update the device_secret as necessary. Regardless a device_secret must be returned in the response.
Section 3.4 describes the response to an authorization code grant. I’m unsure if / how this applies to refresh token responses - in particular - is the device_secret here also required?
Comments (0)
- Assignee
- –
- Type
- Priority
- Status
- new
- Component
- Native SSO for Apps
- Milestone
- –
- Version
- –
- Votes
- 0
- Watchers
- 1
