Pinniped Refresh Token Workflow fails with Userinfo EndPoint.

[albgf88]

What happened?

Every time access token lifetime ends (5 minutes), user it's prompted again to authenticate because refresh token workflow fails.

What did you expect to happen?

Refresh token workflow works fine and users don't be prompted every 5 minutes to login again.

What is the simplest way to reproduce this behavior?

With Postman we can reproduce the issue, get an access token with scp: openid and with refresh_token workflow new access token doesn't include scp: openid, so when do post to adfs/userinfo endpoint with this new access token, get error 403.

In what environment did you see this bug?

• Pinniped version: 0.24
• TKG: 2.3
• External OIDC: ADFS 2019
• Configuration: Pinniped supervisor + External OIDC

What else is there to know about this bug?

Since we update from TKG 2.2 (Pinniped v0.12.1) to TKG 2.3 (Pinniped 0.24), we have an issue with refresh token workflow. We detect on our external OIDC, that when access token it's refreshed, the new access token does not include claim scp=openid (scope), like this new access token does not have this claim, when pinniped try to communicate with adfs/userinfo endpoint we get an error 403, because to call this endpoint it's required to include openid scope.

When refresh token pinniped workflow start, we receive an error on our External OIDC Logs.

We can simulate this scenario with postman, and confirm that at the first login, first access token have scp:openid, but when it's refresed with refresh token, new access token does not have scp:openid.

If there are some possibility to add a refresh token workflow of pinniped include that key, it will works fine.