By: Guillaume Smaha user 07 Aug 2017 at 2:21 p.m. CDT

1 Response

Hi, We use the code flow for the initial token retrieval for our application and follow that with refresh token negotiations when the tokens need to be renewed. We use a library for the token validations that will compare the hash of the current access token with the access token hash that's within the ID token. Our current issue is that since the refresh token negotiation (grant_type=refresh_token) only returns another refresh & access token we can't run the same validations as on the initial code negotiation (grant_type=authorization_code). Is it possible to have grant_type=refresh_token also return an ID token? Are we doing something wrong here?

Rhel72

closed

By Aliaksandr Samuseu staff 07 Aug 2017 at 3:16 p.m. CDT

Copy

Hi, Guillaume. OIDC core spec doesn't make returning `id_token` in this case (refresh) a mandatory step. I don't think it may be changed without modifying sources. You could try to submit a feature request [here](https://github.com/GluuFederation/oxAuth), if you wish. Refresh token flow is expected to happen directly between client and OP, and it's expected that HTTPS is used as well, so I'm not sure that check is mandatory. The spec doesn't enforce something like this as well.

You need to Login in order to post an answer

Can the grant_type=refresh_token also return an ID token from the token endpoint?

By: Guillaume Smaha user 07 Aug 2017 at 2:21 p.m. CDT

Answers

By Aliaksandr Samuseu staff 07 Aug 2017 at 3:16 p.m. CDT

Post an answer