#109 I've suggested that maybe s_hash isn't needed but, if it does stay, I think it needs a bit more definition.
OAuth and OIDC both have state as recommended but not required. So the definition of s_hash needs to clearly state what should happen when state was omitted from the authentication request and thus authentication response. I'd assume that s_hash would be omitted from the ID Token when state wasn't present. But I think the document should be explicit about it.
The document should also probably make an IANA request to register s_hash in the JWT claims registry https://www.iana.org/assignments/jwt/jwt.xhtml#claims