Remove identity id consistency validation from ClientApps (UserApps are unaffected).
Why?
ClientApps don't have the same token refresh erganomics as UserApps.
If an access token is expired in a UserApp, it will raise an error which can be by the app and initiate a login flow.
If an access token is expired in a ClientApp, it will still return a ClientCredentialAuthorizer expecting that the access token will be refreshed by that authorizer down the line.
ClientCredentialAuthorizers exclusively request one token at a time.
Because of these two facts, a refresh initiated by a ClientCredentialAuthorizer will only ever contain identity info if it's refreshing specifically an globus auth token because that identity info only comes if you specify the special auth-managed "openid" scope.
Because this is a pretty widespread bug (any usage of a ClientApp), I advocate that we simply remove identity id consistency validation from ClientApps (thank you @rjmello for this suggestion) while planning to move off of ClientCredntialAuthorizer in the future.
Testing
Added a unit test that recreates a scenario users reported. Verified it failed before the fix & succeeded after it.
Simulated a client app token expiry scenario locally & observed that the groups token was successfully refreshed.
What?
Why?
Because of these two facts, a refresh initiated by a ClientCredentialAuthorizer will only ever contain identity info if it's refreshing specifically an globus auth token because that identity info only comes if you specify the special auth-managed "openid" scope.
Because this is a pretty widespread bug (any usage of a ClientApp), I advocate that we simply remove identity id consistency validation from ClientApps (thank you @rjmello for this suggestion) while planning to move off of
ClientCredntialAuthorizerin the future.Testing