Include id_token with RefreshToken grant_type?

  • Hello!

    One of our third-party clients is trying to access the id_token value when making a request to oauth/token with the grant_type of refresh_token, but that value does not appear to be included, even if id_token is set as part of the response_type.

    This appears to be a valid use-case. Is there anything we can do to include this value in the response for this scenario?

Viewing 1 replies (of 1 total)
  • Thread Starter Jeremy Ward

    (@jmichaelward)

    I’ve done some more investigation into the existing behavior today to see whether I could better understand and diagnose the problem. The TL;DR is that it appears the plugin has specific Authorize and UserInfo controllers for the OpenID implementation, but no corresponding TokenController.

    In version 4.2.3 (the latest release of the paid plugin), the OpenID AuthorizeController has a method called needsIdToken which gets called when the authorize parameters are built. If the openid scope is included with the request, the controller generates the ID token and returns it in the response.

    Since there is not an OpenID implementation of the TokenController, that same check is not made when requesting a new refresh token via the /oauth/token endpoint.

    Ultimately, I’d expect /oauth/token to return an ID token if it’s specifically requested via the scope, but currently it’s not possible to retrieve it, which is causing issues with our implementation.

Viewing 1 replies (of 1 total)
  • The topic ‘Include id_token with RefreshToken grant_type?’ is closed to new replies.