sjjhsjjh
commented
5 months ago Yes. The implication seems to be that AS mustn't generate an auth_session unless it is assured that it will be bound to the device by the client. That assurance could be given by app and device attestation I guess, if it had already taken place prior to the Authorization Challenge Request.
Sec. 5.3.1, "the 'auth_session' MUST be bound to the device" - how do we expect the Client/AS to do that? Device fingerprinting is a famously hard problem.