id_token in response from refresh token request

IdentityServer / IdentityServer3

OpenID Connect Provider and OAuth 2.0 Authorization Server Framework for ASP.NET 4.x/Katana

https://identityserver.github.io/Documentation/

Apache License 2.0

2.01k stars 763 forks source link

id_token in response from refresh token request #3621

Open guwer opened 7 years ago

guwer commented 7 years ago

Question / Issue

In version 2.6.0 id_token in response from refresh token request was added (in #3458). I think this should be at least disabled by default or removed because now it is not possible to get id token in password grant but with refresh_token grant I receive id token whether I want it or not.

leastprivilege commented 7 years ago

We are aware of this bug - not sure yet when we'll have time to fix it.

You can send a PR if you want to fix it yourself. It's the same as here: https://github.com/IdentityServer/IdentityServer4/blob/dev/src/IdentityServer4/ResponseHandling/TokenResponseGenerator.cs#L179

guwer commented 7 years ago

One question. Why the id token was introduced in the refresh token response in the first place? I suppose it was for authorization code grant. If yes the fix would be to add the id token to a response only if the refresh token was issued in code grant. Is it possible to detect such a case? Additionally an option to disable/enable such a behavior.

leastprivilege commented 7 years ago

because https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse

guwer commented 7 years ago

OK, so to fix this, the part that "Token Response (...) might not contain an id_token." needs to be implemented.