OAuth refresh grant returns 500 internal server error

[NSeydoux]

The openid configuration available at the .well-wknow iri for the NSS identity provider (e.g. https://solid.zwifi.eu/.well-known/openid-configuration) indicates support for the refresh_token grant. However, when issuing a refresh token request that should be valid (see below), the response is Internal Server Error.

curl --location --request POST 'https://solid.zwifi.eu/token' \
--header 'Authorization: Basic <client id:client secret>' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'refresh_token=<refresh token>'

Steps to reproduce:

• Get a client ID, secret and a refresh token. That may be done by inspecting the dynamic registration of a client when logging in with an app for instance.
• Use the credentials to fill in the request above (client ID and secret should be base64-encoded)

Expected result

A 200 response with a JSON object in the body containing a new, valid access token.

Observed result

An internal error

Should this issue be reported here in the NSS repo, or in https://github.com/solid/oidc-auth-manager ?

NB: This is kind of related to https://github.com/solid/node-solid-server/issues/641

[agentydragon]

Seeing the same. Also getting a 500 error without Authorization header and with passing client ID and secret in query parameters.

[jaxoncreed]

Well, it looks like it was never implemented: https://github.com/solid/oidc-op/blame/main/src/handlers/TokenRequest.js#L500. The refresh method of AccessToken needs to be created. Though, all the infrastructure that's needed before that seems to be there.

[jaxoncreed]

Okay I've built the feature here: https://github.com/solid/oidc-op/pull/30. Note that this has not been thoroughly tested.