Keep id and access token claims when using refresh tokens #163
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Certain clients do not implement the OIDC specification correctly and do require the id token to be return even when using a refresh token. This is possible but optional in the specs, so it is no problem to just do it for compatibility reasons.
When using a refresh token, any potentially encoded extra claims for id and access token must be retained. With this change, the claims embedded into the refresh token are applied on top of any other access or id token claims before creating the corresponding token. This avoids loosing any of the backend provided claims when refresh tokens are used.
longsleep
force-pushed
the
longsleep-id-token-for-refresh-token
branch
from
c4fae39 to
4aa7aba
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When a identifier backend injects custom claims, those need to be carried over to access tokens and id tokens which are issued after a refresh token was exchanged via the token endpoint. This PR adds support for this by applying any extra claims recorded in the refresh token to the corresponding access and id tokens.