-
Notifications
You must be signed in to change notification settings - Fork 145
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refresh request discards id_token #364
Comments
Merged the feat into
This sounds like a good and simple solution.
Is also an option, however the Both option sound good to me, but depends how much work we want to put into this :). |
@muhlemmer do you want to introduce |
BREAKING CHANGE: - rename RefreshAccessToken to RefreshToken - RefreshToken returns *oidc.Tokens instead of *oauth2.Token This change allows the return of the id_token in an explicit manner, as part of the oidc.Tokens struct. The return type is now consistent with the CodeExchange function. When an id_token is returned, it is verified. In case no id_token was received, RefreshTokens will not return an error. As per specifictation: https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse Upon successful validation of the Refresh Token, the response body is the Token Response of Section 3.1.3.3 except that it might not contain an id_token. Closes #364
BREAKING CHANGE: - rename RefreshAccessToken to RefreshToken - RefreshToken returns *oidc.Tokens instead of *oauth2.Token This change allows the return of the id_token in an explicit manner, as part of the oidc.Tokens struct. The return type is now consistent with the CodeExchange function. When an id_token is returned, it is verified. In case no id_token was received, RefreshTokens will not return an error. As per specifictation: https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse Upon successful validation of the Refresh Token, the response body is the Token Response of Section 3.1.3.3 except that it might not contain an id_token. Closes #364
🎉 This issue has been resolved in version 3.0.0-next.9 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
🎉 This issue has been resolved in version 3.0.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
Is your feature request related to a problem? Please describe.
Token refresh MAY return an id_token. See oipenid.net
rp.RefreshAccessToken
discards the returnedid_token
(assuming it was returned).Debugging shows an
id_token
returned in the response, but the returned model,oath2.Token
doesn't include IDToken.Why do I care? Keycloak wants
id_token_hint
filled out when doing a logout.Describe the solution you'd like
Introduce
rp.RefreshTokens
and deprecaterp.RefreshAccessToken
. The new function would returnDescribe alternatives you've considered
Consiering:
return
*oidc.Tokens[C]
instead of the above simple composite.@muhlemmer : what do you think?
build
RefreshTokens()
on top ofoauth2.ReuseTokenSourceWithExpiry()
That has to be fed an
*oauth2.Token
so the current API toRefreshAccessToken
probably has to change unless we can build an*oauth2.Token
from what we have there. Maybe? I may give this a try because it it works, the resulting*oauth2.Token
could include anid_token
that can be extracted withExtra()
.This might look like:
id_token
usingtoken.WithExtra()
.Rejected:
id_token
RefreshAccessToken
let's not keep supporting a broken interface.
RefreshAccessToken
only in v3Additional context
The server side, in pkg/op, returns an
id_token
for token refresh but pkg/client/rp ignores it.The text was updated successfully, but these errors were encountered: