oauth2-server-php icon indicating copy to clipboard operation
oauth2-server-php copied to clipboard
verified publisher icon bshaffer

No option to return id_token on token refresh

Open dejan9393 opened this issue 5 years ago • 3 comments

Currently, the refresh_token grant_type does not return an id_token, even when the openid scope is provided. The OIDC spec states the following:

Upon successful validation of the Refresh Token, the response body is the Token Response of Section 3.1.3.3 except that it might not contain an id_token.

The spec goes on to mention what parts of the id_token need to remain the same as the old ID token. This suggests that it should be optional to return an ID token on a successful token refresh.

In its current state, i'm successfully refreshing my access tokens, and I can retrieve info about my users at the /userinfo endpoint, but any apps using the id_tokens directly might be getting outdated data.

dejan9393 avatar Mar 06 '20 04:03 dejan9393

This would require creeating a new Grant Type at src/OpenID/GrantType/RefreshToken.php, using this grant type instead when the openid option is set, and returning an id_token if desired.

bshaffer avatar Mar 11 '20 21:03 bshaffer

Hi, is anyone working on this? I'd like to have a shot if this is needed. Thanks.

adisazhar123 avatar Jun 08 '20 14:06 adisazhar123

Would love your review on #982 @dejan9393 @bshaffer Thanks

adisazhar123 avatar Jun 12 '20 03:06 adisazhar123