Closed tung2744 closed 3 days ago
I've read the spec again.
If a mobile app requests a device secret via the device_sso scope and a device_secret exists, then the client MUST provide the device_secret on the request to the /token endpoint to exchange code for tokens.
I think that means, if a device has two app installed, A and B, and both apps will request the device_sso
scope. Assume A already authenticated (Therefore obtained device_secret), and B uses authorize endpoint to authenticate. When B call token endpoint in authorization code flow, B should also pass the device_secret obtained by A. And the server should rotate the device_secret in this case too.
If I understand it correctly, that means in this case, even B is not authenticated using the new token exchange profile, it should share the same session with A (And therefore same device_secret).
So marking this PR as WIP for the above change.
After thinking deeper, if app A provided the app-initiated-sso-to-web
scope, and therefore an device_secret was issued. After that, app B used authorize endpoint to authenticate, and call token endpoint to obtain tokens. According to the spec, as device_secret already exist (Obtained by app A), B should provide the device_secret to the token endpoint. Which then we can expect the session of app B will be the same as app A (Because of shared device_secret). Therefore looks like app-initiated-sso-to-web
implies device_sso
is enabled?
Per offline discussion, this pr need to:
@louischan-oursky Updated, thanks! I kept the device secret in offline grant because now we don't have a case that a single secret can be used in multiple offline grant.
Updated, thanks!
ref DEV-1404