Use ID token on refresh if access token is not a JWT
Summary
Currently, the refresh flow assumes that the access token is a JWT and if it isn't, the refresh fails. The initial token fetch routine already copes with this case by parsing the id token first, and only then tries to parse the access token. I copied the same logic into the token refresh routine.
Use ID token on refresh if access token is not a JWT
Summary
Currently, the refresh flow assumes that the access token is a JWT and if it isn't, the refresh fails. The initial token fetch routine already copes with this case by parsing the id token first, and only then tries to parse the access token. I copied the same logic into the token refresh routine.
Type
[x] Bug fix [] Feature request [] Enhancement [] Docs
Why?
As far as I understand the OpenID Connect spec, you are not really supposed to parse the access token, and e.g. in the case of GitLab, it's not a JWT.
Requirements
Having an OIDC provider that sends access tokens that are not JWTs
How to try it?
Set up a GitLab application and use it, then see if the refresh flow works.
Additional informatoin
I don't really know either Go nor OpenID Connect, so please carefully review this and tell me if it makes sense.
Checklist: