IdentityServer3 icon indicating copy to clipboard operation
IdentityServer3 copied to clipboard
verified publisher icon IdentityServer

id_token in response from refresh token request

Open guwer opened this issue 8 years ago • 4 comments

Question / Issue

In version 2.6.0 id_token in response from refresh token request was added (in #3458). I think this should be at least disabled by default or removed because now it is not possible to get id token in password grant but with refresh_token grant I receive id token whether I want it or not.

guwer avatar Apr 05 '17 21:04 guwer

We are aware of this bug - not sure yet when we'll have time to fix it.

You can send a PR if you want to fix it yourself. It's the same as here: https://github.com/IdentityServer/IdentityServer4/blob/dev/src/IdentityServer4/ResponseHandling/TokenResponseGenerator.cs#L179

leastprivilege avatar Apr 06 '17 07:04 leastprivilege

One question. Why the id token was introduced in the refresh token response in the first place? I suppose it was for authorization code grant. If yes the fix would be to add the id token to a response only if the refresh token was issued in code grant. Is it possible to detect such a case? Additionally an option to disable/enable such a behavior.

guwer avatar Apr 06 '17 20:04 guwer

because https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse

leastprivilege avatar Apr 07 '17 05:04 leastprivilege

OK, so to fix this, the part that "Token Response (...) might not contain an id_token." needs to be implemented.

guwer avatar Apr 09 '17 20:04 guwer