Don't set `id_token` if not in refresh response

[wryrye]

Checklist

• [X] The issue can be reproduced in the express-openid-connect sample app (or N/A).
• [X] I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• [X] I have looked into the API documentation and have not found a suitable solution or answer.
• [X] I have searched the issues and have not found a suitable solution or answer.
• [X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• [X] I agree to the terms within the Auth0 Code of Conduct.

Description

Per OpenID Connect Core 1.0 specifications, a successful refresh response "might not contain an id_token". This is the case for my setup.

Therefore, when I call AccessToken.refresh(), the id_token is set to undefined, which corrupts the session and forces me to re-authenticate. I'm almost certain this is the same issue encountered in #279.

Can we avoid setting id_token to undefined if the value is not present in the refresh response?

Reproduction

1. Make a refresh request (req.oidc.accessToken.refresh()) where the response is missing an id_token
2. Confirm subsequent accesses of req.oidc.idToken and req.oidc.user yield undefined

Additional context

Similar fix in another repo: https://github.com/authts/oidc-client-ts/issues/688

express-openid-connect version

^2.16.0

Express version

^4.18.2

Node.js version

20.12.1

[wryrye]

Tagging @stevenwong-okta since you seem to be active!