In DDA, it was using "Surrogate Identity" without defining what is identity. It looks like it meant to be "identifier".
Even then, the meaning of the clause is not clear.
For example, the meaning of
OAuth creates a surrogate identifier for a Login (entity)
is not clear. OAuth does not create an identifier that represents a Login (= user identity). It just represents the access grant. It is a well known security hole to mistake access and refresh tokens with user identity.
If one wants to use them as such, the Client needs to at least verify that:
- the token was issued for the client
- the token was issued by the intended issuer
- the token maps to one user identifier
etc. It will eventually end-up as being semantically equal to (minimum) ID Token.
Also, it seems to be asking for RT and AT to be persistent. Not sure if that is a good idea.