brockallen
commented
4 years ago Mind sending a PR -- should be a simple one.
Closed longsleep closed 3 years ago
brockallen
commented
4 years ago Mind sending a PR -- should be a simple one.
longsleep
commented
4 years ago Mind sending a PR -- should be a simple one.
Yeah can do. Do you agree that the previously issued id_token value should just be kept if the refresh_token response does not include a new one? I am not 100% sure if that is the correct solution but it would fix the issue i am encountering. Alternatively the app would need to remember the id_token itself, in case its no longer available in oidc-client-js.
When using grant_type=refresh_token (https://github.com/IdentityModel/oidc-client-js/blob/bcf6b368e9674d05180dca680f153d7da5336f9d/src/TokenClient.js#L54-L78), the OIDC specification stats that returning the ID token is optional (https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse). So if an IdP does not return an ID token, oidc-client-js "forgets" its previous ID token value since the code in https://github.com/IdentityModel/oidc-client-js/blob/bcf6b368e9674d05180dca680f153d7da5336f9d/src/UserManager.js#L201. Looks like a bug, since a couple of lines before there actually is a conditional checking for the ID token. The assign also should be conditional.