#396 - Set the id token if it is returned via the refreshToken endpoint

[c0ntax]

If the id token is present when refreshing, capture it

[ricklambrechts]

Do we need to validate the id_token?

https://github.com/jumbojett/OpenID-Connect-PHP/blob/5d69bcf15478bf11f32f7344afaa2f2640b9bd2a/src/OpenIDConnectClient.php#L341-L353

[c0ntax]

@ricklambrechts technically, yes. There are a load of rules in the spec:

If an ID Token is returned as a result of a token refresh request, the following requirements apply:

• its iss Claim Value MUST be the same as in the ID Token issued when the original authentication occurred,
• its sub Claim Value MUST be the same as in the ID Token issued when the original authentication occurred,
• its iat Claim MUST represent the time that the new ID Token is issued,
• its aud Claim Value MUST be the same as in the ID Token issued when the original authentication occurred,
• if the ID Token contains an auth_time Claim, its value MUST represent the time of the original authentication - not the time that the new ID token is issued,
• its azp Claim Value MUST be the same as in the ID Token issued when the original authentication occurred; if no azp Claim was present in the original ID Token, one MUST NOT be present in the new ID Token, and otherwise, the same rules apply as apply when issuing an ID Token at the time of the original authentication.

But I err'd on the side of the same amount of validation that's going on for the accessToken as part of the refreshToken grant (which is 'does it exist? Yes. Therefore it is valid') ;-)

I'd suggest creating another ticket for token validation as part of the refresh mechanism and tackle the problem incrementally