Access_token-less use-case breaks because storage values are stored as strings but not actually treated as such

[max-kahnt-keylight]

Describe the bug For a fully id_token based use-case, token refresh is happening all the time.

In particular, IDP responses that do not contain an access_token will still result in getAccessToken() yielding 'undefined' (as a string!) which is truthy and hence set off a setupAccessTokenTimer() call resulting in a 0 timeout ('token_expires', 'access_token') event.

I am exploring using custom storage or custom refresh behavior to work around this issue.

Expected behavior Do not refresh based on a non-existing access_token.

Desktop:

• OS: Linux
• Browser: chrome
• Version: 15

Additional context The OAuthStorage class interface is string-based, which nicely falls in line with local/sessionStorage behavior but differs from the MemoryStorage implemention when storing undefined values.

[max-kahnt-keylight]

Shortly after posting this I noticed that the listenTo property in the setupAutomaticSilentRefresh might be the flag to avoid the bad refresh behavior. I am leaving this issue open nevertheless since I believe my observation about the improper handling of nullish storage values to be true nevertheless and it might be the cause for other unexpected behavior as well.