[Question] Missing Id Token on Refresh

[mattinger]

I'm having a hard time making this happen due to socket timeouts and such, and figured i'd ask here.

Is there a particular set behavior for what happens when a token refresh comes back without an id token field?

Will the id token from the initial authentication be used? (authState.mAuthorizationResponse.idToken)

The code suggests that, but I wanted to double check. We're using the code response type, so we get an auth code back, and not the access token directly. We then exchange that ourselves, so it's unclear to me if the authorization response would even have the token in it.

    @Nullable
    public String getIdToken() {
        if (mAuthorizationException != null) {
            return null;
        }
        if (mLastTokenResponse != null && mLastTokenResponse.idToken != null) {
            return mLastTokenResponse.idToken;
        }
        if (mLastAuthorizationResponse != null) {
            return mLastAuthorizationResponse.idToken;
        }
        return null;
    }

[iainmcgin]

With the authorization code flow, if you specify the "openid" scope as part of the authorization request, then you should get both a refresh token and an ID token as part of the code exchange. This is documented in Section 3.1.3.3 of the OIDC spec. So, in that case, mLastTokenResponse.idToken in your AuthState should have the value you want. The second clause deals with the implicit or hybrid flows, where you specified id_token or code id_token as the grant type for the authorization request (documented in Section 3), and therefore get the ID token provided back directly in the authorization response.

One thing to watch out for is that if your AuthState is updated with a subsequent token exchange (e.g. to get a new, fresh access token) then you might lose the ID token. I brought this up in #34, we haven't decided on whether that actually needs a fix or not, or is "working as intended".