Why does `Client.do_access_token_refresh` require `state`?

[lupreCSC]

Asking because the token refresh request in the OpenID Connect specification does not involve the state and it would be easier for our application if we could discard it after the initial authorization code flow.

[schlenk]

From a cursory look, only the get_grant() call (

pyoidc/src/oic/oauth2/__init__.py

Line 979 in 0e30cd2

if token.replaced:

) seem to actually need it, all the rest of the code seems to be happy if you pass in the token as a kwarg and ignores the state.

Is that the issue you see, e.g. a GrantError being raised there?

[lupreCSC]

Yes, I get a GrantError: No grant found for state:'' (or GrantError: No grant found for state:'None' if I set state=None instead of just leaving it out of the do_access_token_refresh call).