auth0 / express-openid-connect

An Express.js middleware to protect OpenID Connect web applications.
MIT License
476 stars 141 forks source link

Don't set `id_token` if not in refresh response #628

Open wryrye opened 4 months ago

wryrye commented 4 months ago

Checklist

Description

Per OpenID Connect Core 1.0 specifications, a successful refresh response "might not contain an id_token". This is the case for my setup.

Therefore, when I call AccessToken.refresh(), the id_token is set to undefined, which corrupts the session and forces me to re-authenticate. I'm almost certain this is the same issue encountered in #279.

Can we avoid setting id_token to undefined if the value is not present in the refresh response?

Reproduction

  1. Make a refresh request (req.oidc.accessToken.refresh()) where the response is missing an id_token
  2. Confirm subsequent accesses of req.oidc.idToken and req.oidc.user yield undefined

Additional context

Similar fix in another repo: https://github.com/authts/oidc-client-ts/issues/688

express-openid-connect version

^2.16.0

Express version

^4.18.2

Node.js version

20.12.1

wryrye commented 3 months ago

Tagging @stevenwong-okta since you seem to be active!