I see what s_hash is doing but I have some concern about a new required claim in the ID Token that off-the-shelf products and open source that do regular OIDC won't support. Seems like that could hinder adoption and interchangeability.
In FAPI part 2, the authentication request must be integrity protected so there's less opportunity to mess with the state. And the hybrid flows require the nonce parameter in the request which is returned in the signed ID Token. Couldn't the same protections that s_hash gives be achieved by telling the client/RP to integrity protect the state value it sends and to associate the state with the nonce and check that association when validating the response?
Maybe I'm off base here but that seems like it would provide the same protections without adding a new required protocol element on top of OIDC.