[Native SSO] Device secret updates should only happen when a new ID token is issued

This issue was discovered recently and is not based on our PoC (which doesn’t rotate the device_secret).

The spec allows for OPs to update the device_secret , for extra security in case of a leak. The OP can return a new device_secret to the RP in a token response. The device SSO spec deals with these 3 grants:

• code
• refresh token
• token exchange

The code and token exchange grants provide the RP with a new ID token, which is supposed to include the ds_hash. If a new device_secret gets issued, this gets reflected in the ID token ds_hash.

The interpretation of the current spec is that the refresh token response can also produce an updated device_secret (issue #2168). OIDC Core, however, doesn’t mandate an ID token in these responses, i.e. it’s an optional thing and there are also good reasons to consider this an anti-pattern. In the absence of an updated ID token (with the new ds_hash binding) the group of apps on the device will not be able to make a new successful back-channel SSO request via the token exchange grant.

It seems the most efficient solution to this is to allow device_secret updates only in the code flow and in the token exchange profile, leaving the refresh token grant out of this. The general rule being that device secret updates should only happen when a new ID token is issued.

I noticed the token exchange request could also benefit from an explicit mention that the submitted ID token must be bound to the device secret in the actor_token , to make app developers aware of this requirement when they construct their requests:

https://openid.net/specs/openid-connect-native-sso-1_0.html#name-oauth2-token-exchange-profi