Originally submitted by Takahiko Kawasaki (Takahiko Kawasaki) on 2025-04-24
The following description appears in Section 4.3. Native SSO Processing Rules of OpenID Connect Native SSO for Mobile Apps 1.0 draft 07:
Verify that the session id in the id_token (sid claim) is still valid. If the session is no longer valid, the AS MUST return an error of invalid_grant. Note that in the case of a refresh_tokens issued with an offline_scope the 'sid' value SHOULD represent the offline "session" such that if the original refresh_token is revoked the 'ds_hash' value in the id_token is no longer valid.
What does offline_scope in this description mean? Could it possibly refer to the offline_access scope defined in Section 11. Offline Access of OpenID Connect Core 1.0?
Also, the sudden appearance of ds_hash is confusing. Is it possible that sid was intended instead of ds_hash?
Bitbucket status: new
Bitbucket origin: issue 2176
The following description appears in Section 4.3. Native SSO Processing Rules of OpenID Connect Native SSO for Mobile Apps 1.0 draft 07:
What does
offline_scopein this description mean? Could it possibly refer to theoffline_accessscope defined in Section 11. Offline Access of OpenID Connect Core 1.0?Also, the sudden appearance of
ds_hashis confusing. Is it possible thatsidwas intended instead ofds_hash?Bitbucket status: new
Bitbucket origin: issue 2176