In my very limited testing with only one OIDC provider (WSO2), the access token validation method (in spec here: https://openid.net/specs/openid-connect-core-1_0.html#ImplicitTokenValidation) does still work with the access token returned from the refresh endpoint and the id token returned from the token endpoint. I can’t find any mention of this being guaranteed in the specification.
Also, if this does work, does anyone know how the access token left-most hash can still match the at_hash after access token has been refreshed. I mean, what is the mechanism used to create the refreshed access token to maintain compatibility with id token?
The lifetime of the ID-token is very short, in some systems lime 5 minutes and its main purpose is just to create the local user session. After that the ID-token is discarded.
So I guess the hashes in the ID-token is just used to validate the initial access token.