Issue device secret in token endpoint

[tung2744]

ref DEV-1404

[tung2744]

I've read the spec again.

If a mobile app requests a device secret via the device_sso scope and a device_secret exists, then the client MUST provide the device_secret on the request to the /token endpoint to exchange code for tokens.

I think that means, if a device has two app installed, A and B, and both apps will request the device_sso scope. Assume A already authenticated (Therefore obtained device_secret), and B uses authorize endpoint to authenticate. When B call token endpoint in authorization code flow, B should also pass the device_secret obtained by A. And the server should rotate the device_secret in this case too.

If I understand it correctly, that means in this case, even B is not authenticated using the new token exchange profile, it should share the same session with A (And therefore same device_secret).

So marking this PR as WIP for the above change.

[tung2744]

After thinking deeper, if app A provided the app-initiated-sso-to-web scope, and therefore an device_secret was issued. After that, app B used authorize endpoint to authenticate, and call token endpoint to obtain tokens. According to the spec, as device_secret already exist (Obtained by app A), B should provide the device_secret to the token endpoint. Which then we can expect the session of app B will be the same as app A (Because of shared device_secret). Therefore looks like app-initiated-sso-to-web implies device_sso is enabled?

[tung2744]

Per offline discussion, this pr need to:

• [x] Support device_sso scope.
• [x] When using app-initiated-sso-to-web, device_sso must be provided. Else it is an error.
• [x] Support rotating device_secret in refreshing token
• [x] Support rotating device_secret on refresh id token

[tung2744]

@louischan-oursky Updated, thanks! I kept the device secret in offline grant because now we don't have a case that a single secret can be used in multiple offline grant.

[tung2744]

Updated, thanks!