[Native SSO] The id_token spec in the token exchange profile
Issue #2169
open
In the token exchange profile there is a definition of the id_token that the OP must mint in response to a backend SSO request.
https://openid.net/specs/openid-connect-native-sso-1_0.html#name-token-exchange-response
id_token
OPTIONAL. By default the AS should return an id_token that provides the mobile app with an identity assertion about the user.
I think this definition should mention that the ID token must include the ds_hash and sid claims, as specced in section 3.4. This will enable the group of related apps on the device to use the new ID token in subsequent backend SSO requests via the token exchange grant. Otherwise, if the ID token is a generic one, the apps will have to use the original ID token issued in the web flow (the code flow). Unless this is intended behaviour (but that can lead to a broken binding if the device_secret is updated at some point.)
Comments (3)
-
-
- changed status to open
-
-
assigned issue to
gffletch
-
assigned issue to
- Log in to comment
- Assignee
- Type
- Priority
- Status
- open
- Component
- Native SSO for Apps
- Milestone
- –
- Version
- –
- Votes
- 0
- Watchers
- 1
What about adding a clause which says…
If an
id_tokenis returned, theds_hashandsidclaims MUST be present.