Hi, Guillaume.
OIDC core spec doesn't make returning `id_token` in this case (refresh) a mandatory step. I don't think it may be changed without modifying sources. You could try to submit a feature request [here](https://github.com/GluuFederation/oxAuth), if you wish.
Refresh token flow is expected to happen directly between client and OP, and it's expected that HTTPS is used as well, so I'm not sure that check is mandatory. The spec doesn't enforce something like this as well.