No option to return id_token on token refresh

[dejan9393]

Currently, the refresh_token grant_type does not return an id_token, even when the openid scope is provided. The OIDC spec states the following:

Upon successful validation of the Refresh Token, the response body is the Token Response of Section 3.1.3.3 except that it might not contain an id_token.

The spec goes on to mention what parts of the id_token need to remain the same as the old ID token. This suggests that it should be optional to return an ID token on a successful token refresh.

In its current state, i'm successfully refreshing my access tokens, and I can retrieve info about my users at the /userinfo endpoint, but any apps using the id_tokens directly might be getting outdated data.

[bshaffer]

This would require creeating a new Grant Type at src/OpenID/GrantType/RefreshToken.php, using this grant type instead when the openid option is set, and returning an id_token if desired.

[adisazhar123]

Hi, is anyone working on this? I'd like to have a shot if this is needed. Thanks.

[adisazhar123]

Would love your review on #982 @dejan9393 @bshaffer Thanks